Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Slowloris and Iranian DDoS attacks SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Slowloris and Iranian DDoS attacks

In last couple of days we posted two diaries ( and  with information about Slowloris, a tool that was released last week that performs a resource exhaustion DoS attack on Apache web servers.

There has been a lot of chat about the tool on the web, so it was just a matter of time when we would see it using in real DoS attacks. Last week I posted a diary about two groups launching DDoS attacks on Iranian web sites ( Both of these attacks were relatively simple and used existing, old tools for performing DoS attacks.
However, over the weekend some forums and web sites asking people to run DDoS attacks "expanded" their selection of tools by including Slowloris – nothing we didn't really expect to see.

Regarding Slowloris, we received a lot of information from our readers about various scenarios when Slowloris does and does not work. First of all, Adrian Ilarion Ciobanu posted several diary comments pointing to his written two years ago describing similar attack to Slowloris. Adrian posted some interesting stuff too about Apache DoS attacks at Frank Breedijk wrote in to say that he tested Slowloris with Cisco CSS load balancers which appear to be immune.

Finally, an unofficial patch has been released at - I haven't tested it but the patch is supposed to dynamically change the TimeOut value depending on the load (which depends on the number of Apache processes that are currently processing HTTP requests).


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich February 2022


400 Posts
ISC Handler
Jun 23rd 2009

Sign Up for Free or Log In to start participating in the conversation!