A Revolutionary Approach to DDoS Attacks: Understanding « Low & Slow » Methods

DDoS attacks are constantly evolving, becoming increasingly sophisticated and difficult to counter. Among the most insidious emerging threats, so-called « Low & Slow » attacks stand out for their subtle and persistent nature. Unlike traditional volumetric attacks that aim to overwhelm servers with a flood of requests, Low & Slow attacks infiltrate quietly, gradually consuming the target’s resources. This technique marks a strategic turning point in the world of cybersecurity.

What Is a « Low & Slow » DDoS Attack?

The term « Low & Slow » refers to a type of DDoS attack where the attacker sends a very low volume of traffic, but in a sustained and prolonged manner. The goal is not to trigger a system crash instantly, but to exhaust server resources little by little, while evading traditional detection systems.

This strategy is inspired by military « war of attrition » tactics, where the goal is to weaken the opponent over time rather than strike hard and fast. In a cyber context, it translates to keeping connections open for as long as possible by sending fragmented data slowly, often at the HTTP protocol level.

How Do Low & Slow Attacks Work?

Low & Slow attacks exploit server vulnerabilities by manipulating timing and expected HTTP behavior. Here are the main variants:

Slowloris

One of the best-known techniques. Slowloris sends incomplete HTTP headers and keeps the connection alive by periodically sending small packets. Since many servers wait for full headers before processing a request, this allows the attacker to monopolize connections without generating high traffic.

Slow HTTP POST

This variant targets HTTP POST requests. The attacker announces a large data payload in the Content-Length header but sends the body extremely slowly, byte by byte. This effectively locks server resources for extended periods.

RUDY (R U Dead Yet?)

RUDY sends form fields very slowly to exploit delays in web application response times. It is especially effective against dynamic web pages and application servers.

Why Are Low & Slow Attacks So Hard to Detect?

One of the main challenges of these attacks is their low network footprint. Traditional DDoS detection tools are designed to spot large spikes in traffic and are ineffective against slow, steady, and protocol-compliant traffic. As a result, these attacks can remain active for hours or even days before being identified.

Due to their persistent and stealthy nature, Low & Slow attacks can degrade website performance, cause increased response times, or saturate server queues—often without an obvious cause.

The Impact of a Low & Slow DDoS Attack

The consequences can be serious, especially for organizations that are unprepared:

• Partial or total unavailability of the website or application

• Poor user experience, leading to increased bounce rates

• Revenue losses, especially during prolonged downtimes

• Higher diagnostic costs, since the cause of slowdowns is difficult to trace

• Damage to reputation, particularly when critical services are affected

How to Protect Against Low & Slow Attacks

Defending against these modern DDoS threats requires an adaptive security strategy. Key measures include:

• Intelligent reverse proxies that analyze connection behavior

• Behavioral detection systems that monitor session duration and data flow patterns

• Aggressive timeout settings for inactive or incomplete connections

• Properly configured web application firewalls (WAFs)

• Advanced DDoS mitigation solutions that can recognize and block slow-rate attacks

Conclusion: A Silent but Serious Threat

« Low & Slow » DDoS attacks reflect a fundamental shift in the tactics used by malicious actors. While they may be less flashy than traditional volumetric assaults, they are no less dangerous—targeting the logic and behavior of servers rather than their raw capacity. Today, deploying smart, behavior-aware security systems is essential to effectively counter this growing threat.