Is Slowloris still a threat in 2026?

Against properly configured modern servers, largely no. Default timeouts on nginx, Apache mod_reqtimeout, and cloud load balancers neutralize it. Against unpatched or misconfigured thread-per-connection origins exposed directly to the internet, yes: the underlying vulnerability (no timeout on incomplete requests) still exists if you create it.

How is Slowloris different from a slow POST attack?

Slowloris keeps HTTP headers from completing, so the request never reaches the body. A slow POST attack sends complete headers (including a large Content-Length) and then dribbles the request body byte by byte. Both hold connections open, but they target different stages of request parsing. Both are mitigated by similar timeout configurations.

Can a CDN stop Slowloris?

Yes. A CDN or reverse proxy terminates the client connection and opens a separate connection to your origin. Slow clients are handled at the edge with aggressive timeouts and per-IP limits. Your origin server never sees the slow connections. This is one of the most practical reasons to put any public-facing service behind a proxy layer.

Why doesn't rate limiting alone fix it?

Rate limiting controls requests per second, but Slowloris opens connections and sends almost no data. A single connection sending one byte every few seconds may never trigger a rate limiter while still holding a worker indefinitely. Connection limits and idle timeouts address the actual resource being consumed (open sockets) rather than request frequency.

← Blog

Slowloris: How a Slow HTTP Attack Works

June 9, 2026 · 10 min read

An interactive explanation of the Slowloris denial-of-service attack: how partial HTTP requests exhaust server connection pools, and what actually stops it.

A denial-of-service attack that whispers instead of shouts

Most people picture a denial-of-service attack as a flood: millions of packets hammering a server until bandwidth collapses. Slowloris, introduced by security researcher RSnake in 2009, works on a completely different principle. It doesn't need a botnet. It doesn't need much bandwidth. It just needs patience.

The idea is simple: open as many connections to a web server as you can, and send HTTP headers so slowly that each connection stays open indefinitely without ever completing a request. The server allocates a worker thread (or equivalent resource) to every open connection. Once the pool is full, every new visitor, including real users, gets turned away.

A single machine running a Slowloris script can take down an Apache server that would shrug off a volumetric flood. That's what made it remarkable when it appeared, and why understanding it still matters for anyone building or operating web infrastructure.

Why HTTP was designed to be trusting

HTTP/1.1 assumes clients are mostly well-behaved. When a browser connects, it sends a complete request (method, path, headers, blank line) and waits for a response. The server reads the request, processes it, sends a response, and closes the connection (or keeps it alive for reuse).

But nothing in the protocol requires the client to send the request quickly. A client can open a TCP connection, send one byte of a header, wait ten seconds, send another byte, wait again. From the server's perspective, this is a legitimate connection in progress. The server waits. It has to, because slow clients on bad mobile networks are real.

Thread-per-connection servers like traditional Apache with prefork MPM are especially vulnerable. Each open socket consumes a worker process whether or not useful work is happening. Ten slow connections on a server with ten workers means zero capacity left for anyone else.

What the attack looks like and how it compares

A normal HTTP GET request arrives in one shot: the client sends the request line, a few headers, a blank line, and it's done. The server can immediately start routing the request.

A Slowloris client sends the request line, then dribbles header fields one character at a time, or sends a header like Content-Length with a huge value and never sends the body. Some variants open connections and send partial headers, periodically adding a new header line to reset idle timers. The request never completes, but the connection never times out either.

A SYN flood exploits TCP's three-way handshake by sending SYN packets without completing connections, filling the server's half-open connection queue. Slowloris completes the handshake, so SYN cookies don't apply. Volumetric attacks overwhelm bandwidth; HTTP floods exhaust CPU with valid requests. Slowloris exhausts connection slots and worker threads with incomplete requests sent at kilobytes per second.

· Opens many TCP connections and sends headers extremely slowly
· Never sends the terminating blank line that completes the request
· Each connection holds a server worker until the pool is exhausted
· SYN flood: half-open queue. Volumetric: bandwidth. HTTP flood: CPU. Slowloris: connection pool.

Interactive lab: pool exhaustion, attack landscape, and mitigations

The lab below ties the pieces together in one system: a fixed worker pool, slow versus legitimate clients, a side-by-side view of how Slowloris compares to other denial-of-service patterns, and mitigations you can toggle (reverse proxy limits, idle timeouts). Click a connection slot to inspect wire-level HTTP. None of this sends real network traffic.

Slowloris attack lab

One origin server, optional reverse proxy, slow vs normal clients, and live request inspection

InternetReverse proxy (bypassed)Origin

Worker poolAccepting connections

0/8 slots0%

MitigationsReverse proxy (max 2 slow clients per IP)Origin idle timeout (4s)

Header drip interval: 800ms

Blocked: 0

Educational simulation only. No real network traffic is sent.

What actually mitigates it

The most effective defense is aggressive connection and header timeouts. If a client hasn't completed its request within a few seconds, close the socket. Modern versions of Apache, nginx, and most load balancers ship with sensible defaults that didn't exist in 2009. mod_reqtimeout for Apache and client_header_timeout in nginx exist specifically for this class of attack.

A reverse proxy or load balancer in front of the origin absorbs and filters slow connections before they reach application workers. The proxy can enforce per-IP connection limits: if one address holds more than a handful of open connections, drop the excess. This is why putting nginx or a cloud load balancer in front of a vulnerable origin essentially solves the problem.

Event-driven architectures (nginx, Node.js with proper connection handling, Go's net/http with timeouts) don't allocate one thread per connection, which makes pure Slowloris less effective, though slow clients can still exhaust file descriptors or memory if limits aren't configured. The fix is always the same: timeouts, limits, and not exposing thread-per-connection servers directly to the internet.

Key takeaways

Slowloris is a lesson in how protocol trust assumptions become attack surfaces. HTTP's tolerance for slow clients is a feature for real users on bad networks and a vulnerability when abused deliberately. The attack is old, well-understood, and largely mitigated by modern defaults, but the underlying pattern (holding scarce server resources with minimal client effort) appears in slow POST attacks, RUDY, and connection-draining techniques against databases and APIs.

· Slowloris exhausts connection pools by sending incomplete HTTP requests very slowly
· It targets application-layer resources, not bandwidth, making it cheap to run
· Thread-per-connection servers without timeouts are the most vulnerable
· Fix it with connection timeouts, header timeouts, per-IP limits, and a reverse proxy
· The lab above is educational. Never run attack tools against systems you don't own.