In his blog, Shekyan compared the process to being in a line at a fast food restaurant that serves two types of burgers. A customer cannot decide which type of burger he wants to order, so the cashier cannot help other customers, the rest of the line gets anxious, and the restaurant’s business slows down.
To speed the process, the restaurant posts a sign advising the customers to “think ahead of your order”. Now the same customers orders hundreds of burgers and pays for them, but the line is stuck again because he can only take five burgers at a time to his car, making the sign ineffective.
“While developing the slowhttptest tool, I thought about this burger scenario, and became curious about how HTTP servers react to slow consumption of their responses”, Shekyan explained in a blog. “There are so many conversations about slowing down requests, but none of them cover slow responses. After spending a couple of evenings implementing proof-of-concept code, I pointed it to my so-many-times-tortured Apache server and, surprisingly, got a denial of service as easily as I got it with slowloris and slow POST”, he added.
“The idea of the attack I implemented is pretty simple: bypass policies that filter slow-deciding customers, send a legitimate HTTP request and read the response slowly, aiming to keep as many connections as possible active”, Shekyan explained. He then provides more details about how to craft the slow read DoS attack.
Shekyan said that all servers are vulnerable to this type of attack, which he calls "slow reading", in their default configuration. To mitigate the attack, he advises: do not accept connections with abnormally small advertised window sizes; do not enable persistent connections and HTTP pipelining unless performance really benefits from it; and limit the absolute connection lifetime to some reasonable value.