What is a Slow Read DDoS Attack? (original) (raw)

What is a Slow Read Attack?

A slow read DDoS attack involves an attacker sending an appropriate HTTP request to a server, but then reading the response at a very slow speed, if at all. By reading the response slowly – sometimes as slow as one byte at a time – the attacker prevents the server from incurring an idle connection timeout.

Since the attacker sends a Zero window to the server, the server assumes the client is actually reading the data and therefore keeps the connection open. This has the cumulative effect of consuming server resources, thus preventing legitimate requests from going through.

A Slow Read DDoS attack is characterized by a very low number for the TCP Receive Window size, while at the same time draining the attacker’s TCP receive buffer slowly. This in turn creates a condition where the data flow rate is extremely low.