Taxonomy of Slow DoS Attacks

Slow DoS attacks exploit vulnerabilities in application layer services, using low-volume traffic to overwhelm a target server. The low-volume nature of Slow DoS attacks makes them challenging to distinguish from legitimate traffic, particularly when mimicking the behavior of normal users experiencing poor internet connections. These attacks establishes numerous TCP connections to victim server and keeping them open for over an extended period while sending a small number of crafted requests to the victim server with the goal of consuming server resources and preventing it from serving legitimate clients. Unlike traditional DDoS attacks the Slow DoS attacks require minimal computational resources from the attacker.
Concept of Slow DDoS Attack is Illustrated below:

Two attackers are connected with router-4 and continuously sending a series of short, periodic and high-intensity bursts of attack traffic to the target-1 bottleneck links and target-2 server. This mechanism exploits the way that TCP congestion control works. The high-intensity attack bursts with a short duration result in large packet loss in normal TCP flows and forcing the TCP congestion control mechanism to switch to slow start consequently compressing the window and causing traffic loss.

After entering slow start the attacker stops attacking. When the TCP flow slowly returns to normal the attacker begins the next attack cycle by repeating the process. This attack strategy leads to the saturation of the targeted network link and its associated nodes. Consequently, legitimate users experience a significant deterioration in network performance, manifested as high packet loss rates or even complete service unavailability. Below we provide a detailed discussion of various Slow DoS attacks.