Slow POST Attack

Class: Applicative

Category: Layer 7 (Application Layer) DDoS

Alternative Names: Slow HTTP POST, R-U-Dead-Yet (RUDY)


A Slow POST attack is a type of application-layer DDoS attack that exploits the way web servers handle HTTP POST requests. Instead of overwhelming a server with a flood of requests, this attack operates by sending a legitimate-looking HTTP POST request with a declared large content length—but transmitting the actual body of the request extremely slowly, often byte by byte.


The goal is to tie up server resources, keeping connections open for as long as possible. Since many web servers allocate memory and processing resources per open connection, a small number of Slow POST requests can exhaust available server threads or connection pools—leading to service degradation or complete unavailability.

Attack Mechanism

  1. The attacker sends a valid HTTP POST request header with a large Content-Length value (e.g., Content-Length: 1000000).

  2. The body of the request is then transmitted extremely slowly—sometimes at rates of one byte every 10 seconds.

  3. Because the request is incomplete, the server keeps the connection open, expecting more data.

  4. This behavior is repeated across multiple connections, eventually exhausting the server’s connection pool or thread resources.

  5. Legitimate users are then unable to establish new connections or complete their own requests.


Unlike high-rate DDoS attacks, this is a low-bandwidth but highly effective denial tactic—especially dangerous to web applications with blocking or threaded request processing models.


Indicators of Attack

  • High number of open POST connections with low data transfer rates.

  • Anomalies in request completion times or hanging POSTs.

  • Servers running out of worker threads or max connections.

  • Web server logs showing high Content-Length headers with low actual body data.

Mitigation Strategies

  • Connection Timeouts: Set aggressive read and header timeouts (e.g., RequestReadTimeout in Apache).

  • Rate Limiting: Detect and limit connections with suspiciously low transfer rates.

  • Reverse Proxies and WAFs: Use reverse proxies like nginx or Cloudflare, which handle connections asynchronously and can drop slow clients.

  • Anomaly Detection: Implement behavioral analysis or ML-based filters to catch slow POST patterns.

  • Asynchronous Server Architectures: Prefer event-driven or async-based web servers (e.g., nginx, Node.js) to reduce resource usage per connection.


by Sergei Penchuk, CISSP

Popular posts from this blog

Startups Need to Cyber Up as Early as Pre-Seed!

Startups Need to Cyber Up as Early as Pre-Seed! 10 Cyber Takeaways for Early-Stage Startups to Win New Customers You start with a great idea, a talented team, and a sharp market fit. You decide to launch a startup venture to fulfill this passion. Fun! If you just got started—congrats! You’re in the Pre-Seed stage. As early as this stage may be, here are our top cybersecurity decisions you should be making to set yourself apart from the crowd and grow your appeal to venture capitalists and customers alike! Create a Security and Privacy Policy Creating a security and privacy policy for your company and adding it to your website will position you as a mature organization that takes security risks seriously. This shouldn’t be a pricey task—consider seeking direction from AI tools. Scan Your Code With SAST and SCA Tools It’s a small effort that allows you to spot security issues early in development. You can use a free tier from vendors like Snyk or CodeQL from GitHub. Mind Your Tech Co...
Read more

DDoS Attacks on Enterprises Surge

 Large-Scale Assaults Demand High Sophistication and Vast Botnets “The weakest point in the enemy’s position must be sought out and attacked with the greatest determination.” Carl von Clausewitz DDoS attacks exploit two main concepts: Focus – Find a vulnerability on the victim’s side and direct all of your attack power toward it. Amplification – Use resources from other hosts on the internet to boost your attack. There are mainly four types of DDoS attacks: Volume, Infrastructure (protocol), Application, and Advanced . Volume attacks are fairly simple—many machines worldwide send large amounts of data to the target, saturating its bandwidth. It’s one of the most mature and well-known attack types, and many vendors are adept at mitigating it. High traffic volume is typically achieved by amplifying requests through vulnerable servers on the internet that rely on the stateless UDP protocol. These servers accept a small request from the attacker but respond with large data packets...
Read more

Understanding SCA in Few Sentences

Understanding Software Composition Analysis (SCA) in Few Sentences Software Composition Analysis (SCA) is a security methodology aimed at managing the risks associated with the use of third-party and open-source components in a software application. These components, while useful for rapid development, can introduce vulnerabilities that may be exploited by malicious actors. SCA is crucial in identifying these weaknesses as part of an integrated DevSecOps pipeline.  How SCA is Performed 1. Inventory Creation: The first step involves generating a Bill of Materials (BoM), listing all the components, libraries, and dependencies used in the application. 2. Static Analysis: Using this BoM, SCA tools scan the components against known vulnerability databases like NVD (National Vulnerability Database) to identify potential issues. 3. License Compliance Check: SCA tools also examine each component for licensing requirements to ensure legal compliance. 4. Continuous Monitoring: Vulnerabil...
Read more