Ive recently had our web server farm decimated by someone carrying out a Slowloris attack against us. For information on slowloris see: http://ha.ckers.org/slowloris/
Has anyone got any firewall rules they would care to share that could help block such attempts (it may require L7 detection). I’ll be writing some up if not and will share back once we have a verified setup.
L7 may not help, as it can change it’s headers to be more stealth. What about just a connection number limit? Block any IP that has over 50 (or whatever) incoming connections?