Low and Slow DDoS Attacks
Low and slow attacks, unlike floods, do not require a large amount of traffic. Low and slow attacks mostly target application resources and sometimes server resources. By nature, they are difficult to detect because they involve connections and data transfers that appear to occur at normal rates, making it challenging to implement web application security and DDoS attack mitigation strategies.
Sockstress attacks are a common type of low and slow DDoS attack.
In this case, the server continually sends probe packets to the client to see when it can accept new information, but the connection remains open indefinitely because the attacker does not change the window size. By opening many of these connections, the attacker consumes all of the space in the server's TCP connection table and other tables, preventing legitimate users from establishing a connection. Alternately, the attacker may open many connections with very small - around 4-byte - window sizes. Doing so forces the server to break information into massive numbers of tiny chunks, which consumes a server's available memory and causes a denial of service.
Protecting Against Low and Slow DDoS Attacks
Low and slow attacks can target server and application resources. For example, they can target specific design flaws or vulnerabilities on a target server with a relatively small amount of malicious traffic, eventually causing it to crash. As a result, these serious attacks require sophisticated DDoS mitigation and DDoS protection solutions.