Slow DoS attack

The term slow DoS attack (SDA) was introduced in 2013, to clearly define a specific category of denial-of-service attacks which make use of low-bandwidth rate to accomplish their purpose. Similar terms can be found in literature, such as:
 * application layer DoS, focusing on attacks targeting the application layer only, while a slow DoS attack may exploit lower-layers of the ISO/OSI stack
 * low-rate DoS, focusing on the characteristics of using a limited amount of attack bandwidth, hence, for instance, including also exploit-based threats

Particularly, in order to reduce bandwidth, a slow DoS attack often acts at the application layer of the ISO/OSI stack (e.g. in case of timeout exploiting threats ), although this is not a requirement. Such layer is however easier to exploit in order to successfully attack a victim even by sending it few bytes of malicious requests.

The purpose of a slow DoS attack is (often, but not always ) to cause unavailability of a network service, by seizing all the connections the daemon is able to concurrently manage, at the application layer. Under such conditions, any new incoming connection, even from potentially legitimate clients, will not be accepted by the daemon, hence leading to a denial of service. In addition, once a connection is established/sized by the attacker, the adversary would keep it alive as long as possible (hence, avoiding connection closures, which could potentially free-up resources for legitimate clients). In order to keep connections alive, reducing at the same time the attack bandwidth, considering a single connection, data are sent to the target service only at specific times, by exploiting the so-called Wait Timeout parameter, scheduling a periodic data sending activity (at the application layer): once the timeout expires, a specific payload (depending on the attack type and the approach used by the malicious user) is sent to the targeted daemon. While at lower layers of the ISO/OSI stack, timeouts may be relatively short, in this case, it may assume particularly long values, in the order of minutes.

Exploited parameters
According to Cambiaso et al, slow DoS attacks exploit one or more parameters characteristics of TCP-based connections. Such parameters are exploited to keep connections alive longer than expected by preserving the attack bandwidth, hence seizing the server resources for long times, by at the same time reducing attack resources.