Comment by dredmorbius
8 years ago
Think this through.
If a large number of hosts treats some behaviour as deserving a slow-service attack, then clients exhibiting that behaviour are faced with a large set of slow-serving servers.
Any given server can monitor how many slow-service attacks it is currently providing. Given that a criterion for an SSA is having already determined that the connection is not a friendly one, then monitoring useful vs. useless (e.g., SSA) connections, and being prepared to terminate (or better: simply abandon) the SSA connections as normal traffic ramps up, is a net benefit.
Meantime, the hostile clients are faced by a pervasive wall of mud, slowing their access.
If this monitoring and priorities already implemented within software that handle SSA that's okay, but using some custom untested trickery is simply dangerous.
This is why I want to point out that simply serving content with delay and increasing number of active connections create additional attack vector that more dangerous than script kiddies scanner was in first place.