Apache + Slowloris = FAIL

Slowloris

Idea: open many connections to an HTTP server and slowly send requests that will never complete
This uses up resources on the webserver while having a very low traffic footprint.
Apache: multi-processing modules (MPM) prefork and worker have a limitation on the number of open connections; each connection is bound to a process/thread.
As soon as your slow, incomplete-request-sending connections hit this limit, Apache will stop responding to other requests even though the open connections generate virtually no load.

Use async I/O: webservers using this technique are not vulnerable to the Slowloris attack, e.g. lighttpd, nginx, gatling, Apache's experimental event MPM, IIS 6/7, ...
My advice: if in any way possible, move away from Apache. If not, patch your Apache to mitigate the attack.
I developed and tested a proof of concept mitigation patch based on prior experience with similar attacks and published it on the Apache developer mailing list in June 2009.
...it was mostly ignored and/or dismissed ("mitigation is futile. We need to finish the event MPM").
Idea: reward clients that send reasonably fast, punish slow clients.
Do this by reducing the connection timeout for each new connection based on the current load (i.e. percentage of processes currently in use)
Clients that send reasonably fast will have no problem with it.
New connections opened by slow senders will be dropped quickly.
Proof of concept patch for prefork MPM and Apache 2.2 linked below.

A number of other mitigations were published, all of them are full of epic fail.
mod_noloris: detects Slowloris attacks by counting the number of open connections per client (i.e. IP address). Trusted clients can be whitelisted.
Problems with this approach:
- Doesn't work against Slowloris attacks launched from botnets
- Users behind NAT gateways are disadvantaged (false positives)
- Who maintains the trusted client list?
mod_antiloris: same approach as mod_noloris.
mod_limitipconn: same approach as mod_noloris.
unnamed "crazy patch": if no free processes are available, all processes/threads in read or keep-alive state are killed. WTF?!
This is all full of EPIC FAIL and has obviously only been tested with the Slowloris PoC script.

the Apache developers are aware of the bug, they know that their architecture is broken, and yet they do nothing about it.
Move away from Apache, or - if that's impossible - defend yourself.