Add techniques/slowloris/howto_slowloris_attacks.md

techniques/slowloris/howto_slowloris_attacks.md

@@ -0,0 +1,99 @@
+# Slowloris-Style Resource Exhaustion Attacks: Production-Ready PoC, Randomization, and Defensive Deployment
+
+The Church of Malware (CoM) does not condone the use or introduction of primates substances onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This technical companion document provides complete, production-ready proof-of-concept code, daily randomization strategies, and defensive deployment instructions for individual content creators. It focuses on server-side slowloris-style connection holding, partial response throttling, and keep-alive abuse to impose asymmetric time and bandwidth costs on non-compliant AI crawlers.
+
+## 1 -- Technical Foundation and Defensive Rationale
+
+Slowloris-style attacks (originally a client-side DoS) are reversed here: the origin server deliberately holds connections open or transmits responses at a trickle rate (1–10 bytes/second) exclusively to aggressive user-agents. This ties up crawler worker threads and connection pools for minutes per request while costing the defender near-zero bandwidth.
+
+Defensive properties:
+- **Randomization**: Daily unique slow-response payloads or connection parameters defeat any static timeout or signature filters.
+- **Canary tokens**: Unique strings embedded in every throttled response enable attribution.
+- **Asymmetric cost**: Crawler pays in wall-clock time and concurrency; defender pays only a few KB per connection.
+- **Integration with UA list**: Gated behind the aggressive-bot patterns from `known-aggressive-bot-user-agents.md`.
+
+All techniques are served behind `Disallow` paths and the aggressive_bot conditional logic.
+
+## 2 -- Daily Randomized Slow-Response Tarpit Generator (Python PoC)
+
+```bash
+#!/usr/bin/env python3
+# generate_slow_tarpit.py
+import asyncio, secrets, datetime, os
+from pathlib import Path
+
+async def slow_handler(request, response):
+    today = datetime.date.today().isoformat()
+    canary = f"CoM-SLOW-{today}-{secrets.token_hex(8)}"
+    response.headers["Content-Type"] = "text/plain; charset=utf-8"
+    response.headers["X-Canary"] = canary
+    await response.write(b"Starting slow tarpit response... ")
+    for i in range(300):  # ~5 minutes at 1 byte/sec
+        await asyncio.sleep(1)
+        chunk = f"{canary}-{i}\n".encode()
+        await response.write(chunk)
+    await response.write(b"\nEnd of daily randomized tarpit.\n")
+
+# Run with: python -m aiohttp.web -H 0.0.0.0 -P 8080 generate_slow_tarpit:slow_handler
+```
+
+For production, compile the same logic into an nginx lua script or Caddy streaming handler that only activates for `$aggressive_bot == 1`.
+
+## 3 -- Production nginx Configuration (lua + limit_rate)
+
+Add to the aggressive_bot map in the main virtual host:
+
+```nginx
+location /slow-tarpit/ {
+    internal;
+    access_log /var/log/nginx/ai_slow.log combined if=$aggressive_bot;
+
+    # Lua slow chunked response (requires lua-nginx-module)
+    content_by_lua_block {
+        local today = os.date("%Y-%m-%d")
+        local canary = "CoM-SLOW-" .. today .. "-" .. ngx.md5(ngx.var.remote_addr)
+        ngx.header["Content-Type"] = "text/plain"
+        ngx.header["X-Canary"] = canary
+        ngx.say("Slow tarpit started for " .. canary)
+        for i = 1, 300 do
+            ngx.sleep(1)
+            ngx.print(canary .. "-" .. i .. "\n")
+            ngx.flush(true)
+        end
+    }
+}
+```
+
+Enable with `limit_rate 1k;` inside the location for additional throttling.
+
+## 4 -- Apache + mod_ratelimit + lua (or mod_proxy_fcgi) Example
+
+```apache
+<Location /slow-tarpit/>
+    SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless" aggressive_bot
+    <If "%{ENV:aggressive_bot} == 1">
+        # mod_ratelimit (if available) or custom slow script via ScriptAlias
+        SetOutputFilter RATE_LIMIT
+        RateLimit 1K
+        Header set X-Canary "CoM-SLOW-%{DATE}e"
+    </If>
+</Location>
+```
+
+For full randomization, delegate to a small FastCGI or WSGI slow-tarpit script that embeds the daily canary.
+
+## 5 -- Verification, Attribution, and Maintenance
+
+1. Normal visitor: `curl -I -A "Mozilla/5.0..." https://example.com/` → fast 404 or content.
+2. Aggressive bot: `curl -I -A "GPTBot/1.0" https://example.com/slow-tarpit/` → 200 with `X-Canary` header and slow body.
+3. Log check: `tail -f /var/log/nginx/ai_slow.log`
+4. Weekly rotation of canary namespace and UA list diff against Cloudflare Radar.
+5. If a canary later appears in model output, the individual possesses verifiable proof of ingestion.
+
+## 6 -- References
+
+Derived from the primary dissertation Section 4.4 and the `slowloris-resource-exhaustion.md` technique paper. Randomization and canary strategy mirrors the decompression-bomb and malformed-content approaches for consistency across all active-denial layers.
+
+---
+
+*Companion to `known-aggressive-bot-user-agents.md`, `howto-decompression-bombs.md`, `howto-malformed-content-attacks.md`, and the primary dissertation. Legal review required before production deployment.*