Wednesday, 8 August 2018

R.U.D.Y. & Slowloris DoS Attacks Explained

How Slowloris and R-U-DEAD-YET? attacks differ from traditional DoS attacks, and why cybersec engineers dread them.

DoS vs DDoS

The difference between DoS and DDoS is pretty elementary - the former typically uses a single system to flood the target network, while the latter uses multiple systems, often distributed across the globe, for the same.

Hence, the approach taken by both methods must differ in order to be effective. DDoS relies on "quantity over quality", where as the opposite is true for DoS attacks.

Low and Slow Attacks

RUDY and Slowloris both fall under a category of DoS attacks labelled "Low and Slow" attacks .
Low and Slow attacks differ from traditional attacks in that the they require only limited bandwidth, and are therefore much more difficult to detect and mitigate.

They are called so because they aim to use up the server resources by communicating with it in a very slow manner. They generally operate in layer 7 and use headers to accomplish said task.


Slowloris is a layer 7 DoS attack that uses multiple connections to use up the resources of a webserver.
A webserver can hold only a limited number of concurrent connections. Once a session is completed, the webserver closes that connection to free up resources for more clients to be able to connect to it. Slowloris attacks exploit this vulnerability by creating connections that are never closed.
This is accomplished by sending incomplete HTTP request headers, which upon being received by the server will open connections and wait for the rest of the request to arrive. The requests never finish arriving as they are sent in an extremely slow manner, just fast enough to ensure that the connection is not timed out by the webserver. Hence, the server will not drop any of these connections as they simply mimic a very slow client. Once the server reaches the maximum number of possible connections, it no longer accepts connections from new clients, including legitimate ones. Ergo, service denied.


RUDY is quite similar to Slowloris in that they are both layer 7 slow-rate attacks, and both target the maximum number of concurrent connections possible by a server.
 RUDY uses a never ending HTTP POST request to accomplish said goal. This is done by assigning a very large value to the Content-Length header field and then sending the data in a very slow manner.

Once again, the data is sent just fast enough to ensure that the connection is not timed out by the server.

Mitigating R.U.D.Y. and Slowloris attacks

 Since these attacks mimic legitimate clients, preventing them entirely is almost impossible. However, certain steps can be taken to ensure that the damage done is minimized, thereby rendering such attacks practically futile.

Following are some of the strategies that can be adopted.

  • Decrease the timeout interval — this ensures that clients do not stay idly connected for long periods of time. 
  • Restrict the number of connections — the number of connections per IP address can be restricted to ensure that a single machine does not use up all the resources.
  • Implement both the above. Do note that these strategies may adversely affect legitimate clients as well. Hence, a proper balance between security and usability needs to be found.

Good luck and Godspeed.
- A

All the posts found in this blog are meant either for educational purposes or are the personal opinions of myself (Arcanecfg). I do not condone any illegal activities whatsoever. I cannot be held responsible for any actions the readers of this blog may perform with the knowledge attained from here (Wasted Wolf). These Terms and Conditions of Use apply to you when you view, access or otherwise use the blog located at

Theme designed by mono-lab / Edited by Arcanecfg. Protection Status
/ Wasted Wolf /