Slow-Rate, or “Low and Slow” attacks involve apparently legitimate traffic arriving at a seemingly legitimate albeit slow rate. Attack tools such as Slowloris, Sockstress, and R.U.D.Y. produce legitimate packets at a slow rate, allowing the packets to pass traditional mitigation strategies undetected. Traffic from such attacks is often hard to detect because it looks like legitimate traffic on OSI Model Layer 7 (the Application Layer) to lower-level security devices.
One possible way to detect such an attack is to perform network behavioral analysis on the network during periods of normal operation and compare such data to that gathered during a Slow-Rate attack. For example, if on one particular network it takes 5 minutes and 10 HTTP sessions to complete a transaction based on network behavioral analysis, if a user spends 5 hours and requires 1,000 HTTP sessions to complete the same transaction they might be an attacker and further security measures may therefore be required.