Low and Slow Attack 是一種阻斷服務攻擊 (denial-of-service,DoS),由用戶端向伺服器端發送看似合乎規則的低速率封包,藉此占用連線 資源或是將資源耗盡,是一種在應用層上的 DoS/DDoS 攻擊方式,目 前常見的工具是 Slowloris 及 R-U-Dead-Yet,這兩種工具是運用慢速的 HTTP 請求手法攻擊,然而因為此種攻擊方式與慢速的正常使用者間無 明確界定點,所以較難發現,在這篇論文中主要監聽慢速攻擊下的封包, 並對其特徵實施分析,以利後續防禦參考使用。;Low and Slow Attack is a kind of denial-of-service (DoS) attack. Sending seemingly compliant low-rate packets from the client to the server to occupy connection resources or exhaust resources,it’s a kind method of DoS/DDoS attack at the application layer. Currently, the common tools are Slowloris and R-U-Dead-Yet, these two tools use slow HTTP requests. However, because there is no clear definition between this attack method and normal but slow users, it is difficult to detect. In this paper, will monitoring slow packets under slow attack, and analyze their characteristics for subsequent defense reference.