Article · Wikipedia archive · Last revised May 27, 2026

Slow DoS attack

The term slow DoS attack (SDA) was introduced in 2013, to clearly define a specific category of denial-of-service attacks which make use of low-bandwidth rate to accomplish their purpose. Similar terms can be found in literature, such as:application layer DoS, focusing on attacks targeting the application layer only, while a slow DoS attack may exploit lower-layers of the ISO/OSI stack low-rate DoS, focusing on the characteristics of using a limited amount of attack bandwidth, hence, for instance, including also exploit-based threats

Last revised
May 27, 2026
Read time
≈ 3 min
Length
794 w
Citations
12
Source
Wikipedia ↗

The term slow DoS attack (SDA) was introduced in 2013,1 to clearly define a specific category of denial-of-service attacks which make use of low-bandwidth rate to accomplish their purpose. Similar terms can be found in literature, such as:

  • application layer DoS,2 focusing on attacks targeting the application layer only, while a slow DoS attack may exploit lower-layers of the ISO/OSI stack
  • low-rate DoS,3 focusing on the characteristics of using a limited amount of attack bandwidth, hence, for instance, including also exploit-based threats

Particularly, in order to reduce bandwidth, a slow DoS attack often acts at the application layer of the ISO/OSI stack (e.g. in case of timeout exploiting threats4), although this is not a requirement.5 Such layer is however easier to exploit in order to successfully attack a victim even by sending it a few bytes of malicious requests.

The purpose of a slow DoS attack is (often, but not always4) to cause unavailability of a network service, by seizing all the connections the daemon is able to concurrently manage, at the application layer. Under such conditions, any new incoming connection, even from potentially legitimate clients, will not be accepted by the daemon, hence leading to a denial of service. In addition, once a connection is established/sized by the attacker, the adversary would keep it alive as long as possible (hence, avoiding connection closures, which could potentially free-up resources for legitimate clients).

Exploited parameters

According to Cambiaso et al,1 slow DoS attacks exploit one or more parameters characteristics of TCP-based connections. (Technically any stateful protocol that has a connection count limit will work, but TCP is the most common.) Such parameters are exploited to keep connections alive longer than expected by preserving the attack bandwidth, hence seizing the server resources for long times, by at the same time reducing attack resources.

Timeout

Many protocols include a timeout system for deciding when to close a connection. This may be a feature central to a protocol’s design (e.g. SSH uses a single open connection to interact) or an added feature (e.g. HTTP persistent connection allows a connection to be reused, saving resources). However, because the server promises to keep a connection open for a given amount of time, a malicious client can simply open many connections each requesting a long keep-alive timeout; the long timeout enables the attacker to keep connections open at a low resource cost. 6

In order to keep connections alive, reducing at the same time the attack bandwidth, considering a single connection, data are sent to the target service only at specific times, by exploiting the so-called Wait Timeout parameter,1 scheduling a periodic data sending activity (at the application layer): once the timeout expires, a specific payload (depending on the attack type and the approach used by the malicious user) is sent to the targeted daemon. While at lower layers of the ISO/OSI stack, timeouts may be relatively short, in this case, it may assume particularly long values, in the order of minutes.

Mitigations

A server can count and limit the number of connections made by each client (usually identified by IP address).7

A server can reduce the maximum timeout used.7

A server can modify its timeout algorithm to require a more substantial amount of data to be transferred in a given time frame before it considers the connection to be still alive. In other words, connections that are too slow are considered dead.7

See also

See also

References

References

  1. Cambiaso, Enrico; Papaleo, Gianluca; Chiola, Giovanni; Aiello, Maurizio (2013). "Slow DoS attacks: definition and categorisation". International Journal of Trust Management in Computing and Communications. 1 (3/4): 300–319. doi:10.1504/IJTMCC.2013.056440. hdl:11567/571723.
  2. Mantas, Georgios; Stakhanova, Natalia; Gonzales, Hugo; Hadian Jazi, Hossein; Ghorbani, Ali A. (2015). "Application-layer denial of service attacks: taxonomy and survey" (PDF). International Journal of Information and Computer Security. 7 (2–4): 216–239. doi:10.1504/IJICS.2015.073028. S2CID 3384390.
  3. Wu, Zhijun; Zhang, Liyuan; Yue, Meng (2015). "Low-Rate DoS Attacks Detection Based on Network Multifractal". IEEE Transactions on Dependable and Secure Computing. 13 (5): 559–567. doi:10.1109/TDSC.2015.2443807. S2CID 14728946.
  4. Cambiaso, Enrico; Papaleo, Gianluca; Chiola, Giovanni; Aiello, Maurizio (2015). "Designing and modeling the slow next DoS attack". Computational Intelligence in Security for Information Systems Conference (CISIS 2015). 249-259. Springer.
  5. Cambiaso, Enrico; Chiola, Giovanni; Aiello, Maurizio (2019). "Introducing the SlowDrop Attack". Computer Networks. 150: 234–249. doi:10.1016/j.comnet.2019.01.007. hdl:11567/942438. S2CID 60442737.
  6. Vaccari, I., Aiello, M., Cambiaso, E. (2020). SlowITe, a novel denial of service attack affecting MQTT. Sensors, 20(10), 2932. doi:10.3390/s20102932.
  7. https://www.cloudflare.com/en-ca/learning/ddos/ddos-attack-tools/slowloris/ "Techniques such as limiting the maximum number of connections a single IP address is allowed to make, restricting slow transfer speeds, and limiting the maximum time a client is allowed to stay connected are all approaches for limiting the effectiveness of low and slow attacks."