Layer-7 DDoS attacks, which are slow rate and hence known as “low and slow” DDoS attacks, tend to attempt opening relatively fewer connections to the server targeted or the target web site. The connections and sessions are left open for as long as possible, causing the target’s resources to get expended and eventually to get overwhelmed. Thus the traffic of low and slow attempts, which appear legitimate, make the server targeted unavailable to legitimate traffic and escape detection by the traditional mitigation tools.

In this article let us look at:

  1. What is RUDY?
  2. What is a RUDY Attack?
  3. Methods of Mitigation

1. What is RUDY?

Let us start with what does RUDY mean. This DDoS website tool is often misused to execute slow-rate attacks (like DDoS attacks by Slowloris) and uses long form-field submissions for its implementation and execution. What is RUDY short for? The longer form is (r u dead yet/ R-U-Dead-Yet) and is named after the Finish album R.U.D.Y., of the Children of Bodom, which is a melodic death metal band. 

2. What is a RUDY attack?

RUDY attacks are of the low and slow attack-type of tools used to make a targeted server or web server crash by submitting long form-fields in low volumes continued to appear as legitimate traffic. The DoS tool browses the website targeted to detect its embedded web forms. Once identified, RUDY attack will send the server a legitimate request via HTTP POST, which contains an abnormally long header-field content-length.  It then proceeds to inject the information onto the form using tiny data volume packets of one byte-size at a time. 

Since the information relayed is in small chunks and at a very slow rate of approximately 10-second intervals between bytes, it is called a low and slow RUDY DDOS attack. Technology advancements have helped the variants of RUDY attacks to use randomized time intervals in a bid to avoid detection. Thus RUDY creates a huge backlog of application threads since the ‘content-length’ field is long and prevents the receiving server from automatically closing the connection. Eventually, the attack causes the targeted server’s connection table to run slow and get exhausted, leading the server to crash.

The sophisticated and appearing legitimate RUDY tool can automatically detect the target server’s web forms, choose which fields in the form to attack, and, if available on the target server, use the support of cookie-based session persistence and SOCKS proxies. When unmitigated and undetected, such Slowloris attacks last for long periods of time. Thus if the sockets attacked time out, it reinitiates the connection and continues to max out the resources of the webserver until it is mitigated.

3. Methods of mitigation

Methods of mitigation involve close server resource monitoring, which can reveal a low and slow attack, RUDY attacks etc. In this method used by legacy mitigation solutions, the CPU usage, server memory application threads, and connection tables etc., are scanned for stuck application processes, abuse of resources, and idle open network connections staying open for long intervals.

Another effective tool is to use behaviour analysis of the open server connections. The solution simulates the requirements of an application stack resource without a direct server connection to identify misuse and detect and mitigate such attacks. 

Solutions like Imperva are more effective and less complex in mitigating low and slow DoS attacks, RUDY attacks and such as they use reverse proxy technology. This means all requests are inspected in real-time en-route to the clients’ servers. The secure proxy is effective as it does not forward the partial connection requests, thus making the DoS attack useless.


While DDoS attacks are volumetric in nature and can be detected by the abnormally high rates of incoming traffic fluctuations, the low-and-slow RUDY attack is hard to detect and appear to be legitimate traffic. To mitigate such RUDY definition attacks, one can use methods like server resource monitoring, behavior analysis of the open server connections, or reverse proxy technology to render useless DoS attacks and RUDY attacks.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give you an edge in this competitive world.



Are you ready to build your own career?