Slow Loris Attack

Slow loris attack is a low and slow attack which uses minimal bandwidth to exhaust server resources and thus causing a denial of service. It is still a serious vulnerability in Apache server which constitutes 31 percent of all web servers.

Before seeing how the slow loris attack works, let's see how HTTP requests work.   

HTTP Requests

The HyperText Transfer Protocol is a plain text protocol used for sharing of information across the world wide web.

A simple HTTP request syntax is as follows:-

  1. A request line starting with the request method, the request target and then the HTTP version.

For example- 

GET /index.html HTTP/1.1

  1. The hostname which is the domain name assigned to the server.

For example-


  1. Additional optional headers.

For example-

X-header-*: randomdata

  1. Empty line with carriage return.

You can see the overview of a HTTP request in the network tab in the developer tools of your browser.


The slow loris attack exploits the fact that you can make a single HTTP request very slowly.

It keeps the connection open for as long as that inhibits the ability of the server to open more and more new connections. 

For example, if you open multiple connections to the server by making multiple HTTP requests, 

and keep sending random headers such as x-header-* with random data, the server assumes that the client runs on a very slow connection and keeps the connection open.

If the server creates a thread for every open connection using the limited resources available to it and If you open sufficient multiple connections and keep them running for long, you can essentially take down the server.


Lets try to run a slow loris attack on our barebone Apache server.

First run a local apache server. You can install XAMPP to do the same. 


Check if the server is running by going to localhost on your browser. You should see something like this.

Then install the python slowloris package. (You have to install python first if you haven't). 

Upon installation run slowloris to see usage.

                        Initiate simple attack by giving port as 80, no of sockets as 500 and host as localhost

                        slowloris -p 80 -s 500 localhost



R Refresh to see if your apache server is still running. 

If i If it doesn’t work then you have successfully run a slow loris attack on an Apache server.

                        Connect with me on LinkedIn