The Slowloris script opens two connections to the server, each without the final CRLF. After 10 seconds, second connection sends additional header. Both connections then wait for server timeout. If second connection gets a timeout 10 or more seconds after the first one, we can conclude that sending additional header prolonged its timeout and that the server is vulnerable to Slowloris DoS attack.
A “LIKELY VULNERABLE” result means a server is subject to timeout-extension attack, but depending on the http server’s architecture and resource limits, a full denial of service is not always possible. Complete testing requires triggering the actual DoS condition and measuring server responsiveness.
External references
- “HTTP Slowloris Check“; nmap.org