At this moment, the cybercriminals will create a network of botnets (infected devices) that later they will use for attacks. These unfinished requests exhaust bandwidth and affect the server’s ability to handle legitimate requests. These portions are sent in timed intervals, so the request does not time out, and the server waits for it to be completed. This example configuration will enforce the following behavior: How does it work There are different types of DDoS attacks (volume-based attacks, protocol-based attacks, and application-layer attacks), but in general, they all have the same stages: Pre-production of the attack. The Slowloris attack sends small portions of an HTTP request to a server. slowloris keeping connections open without requesting anything): QS_SrvMinDataRate 150 1200 # and limit request header and body ( careful, that limits uploads and post requests too): # LimitRequestFields 30 # QS_LimitRequestBody 102400 The attacked servers open more and connections open, waiting for each of the attack requests to be completed.
It does this by continuously sending partial HTTP requests, none of which are ever completed. # handles connections from up to 100000 different IPs QS_ClientEntries 100000 # will allow only 50 connections per IP QS_SrvMaxConnPerIP 50 # maximum number of active TCP connections is limited to 256 MaxClients 256 # disables keep - alive when 70 % of the TCP connections are occupied: QS_SrvMaxConnClose 180 # minimum request / response speed ( deny slow clients blocking the server, ie. Attack description Slowloris works by opening multiple connections to the targeted web server and keeping them open as long as possible.