# Slowloris-Style Resource Exhaustion Attacks: Production-Ready PoC, Randomization, and Defensive Deployment

The Church of Malware (CoM) does not condone the use or introduction of primates substances onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This technical companion document provides complete, production-ready proof-of-concept code, daily randomization strategies, and defensive deployment instructions for individual content creators. It focuses on server-side slowloris-style connection holding, partial response throttling, and keep-alive abuse to impose asymmetric time and bandwidth costs on non-compliant AI crawlers.

## 1 -- Technical Foundation and Defensive Rationale

Slowloris-style attacks (originally a client-side DoS) are reversed here: the origin server deliberately holds connections open or transmits responses at a trickle rate (1–10 bytes/second) exclusively to aggressive user-agents. This ties up crawler worker threads and connection pools for minutes per request while costing the defender near-zero bandwidth.

Defensive properties:
- **Randomization**: Daily unique slow-response payloads or connection parameters defeat any static timeout or signature filters.
- **Canary tokens**: Unique strings embedded in every throttled response enable attribution.
- **Asymmetric cost**: Crawler pays in wall-clock time and concurrency; defender pays only a few KB per connection.
- **Integration with UA list**: Gated behind the aggressive-bot patterns from `known-aggressive-bot-user-agents.md`.

All techniques are served behind `Disallow` paths and the aggressive_bot conditional logic.

## 2 -- Daily Randomized Slow-Response Tarpit Generator (Python PoC)

```bash
#!/usr/bin/env python3
# generate_slow_tarpit.py
import asyncio, secrets, datetime, os
from pathlib import Path

async def slow_handler(request, response):
    today = datetime.date.today().isoformat()
    canary = f"CoM-SLOW-{today}-{secrets.token_hex(8)}"
    response.headers["Content-Type"] = "text/plain; charset=utf-8"
    response.headers["X-Canary"] = canary
    await response.write(b"Starting slow tarpit response... ")
    for i in range(300):  # ~5 minutes at 1 byte/sec
        await asyncio.sleep(1)
        chunk = f"{canary}-{i}\n".encode()
        await response.write(chunk)
    await response.write(b"\nEnd of daily randomized tarpit.\n")

# Run with: python -m aiohttp.web -H 0.0.0.0 -P 8080 generate_slow_tarpit:slow_handler
```

For production, compile the same logic into an nginx lua script or Caddy streaming handler that only activates for `$aggressive_bot == 1`.

## 3 -- Production nginx Configuration (lua + limit_rate)

Add to the aggressive_bot map in the main virtual host:

```nginx
location /slow-tarpit/ {
    internal;
    access_log /var/log/nginx/ai_slow.log combined if=$aggressive_bot;

    # Lua slow chunked response (requires lua-nginx-module)
    content_by_lua_block {
        local today = os.date("%Y-%m-%d")
        local canary = "CoM-SLOW-" .. today .. "-" .. ngx.md5(ngx.var.remote_addr)
        ngx.header["Content-Type"] = "text/plain"
        ngx.header["X-Canary"] = canary
        ngx.say("Slow tarpit started for " .. canary)
        for i = 1, 300 do
            ngx.sleep(1)
            ngx.print(canary .. "-" .. i .. "\n")
            ngx.flush(true)
        end
    }
}
```

Enable with `limit_rate 1k;` inside the location for additional throttling.

## 4 -- Apache + mod_ratelimit + lua (or mod_proxy_fcgi) Example

```apache
<Location /slow-tarpit/>
    SetEnvIf User-Agent "GPTBot|ClaudeBot|Bytespider|Perplexity|headless" aggressive_bot
    <If "%{ENV:aggressive_bot} == 1">
        # mod_ratelimit (if available) or custom slow script via ScriptAlias
        SetOutputFilter RATE_LIMIT
        RateLimit 1K
        Header set X-Canary "CoM-SLOW-%{DATE}e"
    </If>
</Location>
```

For full randomization, delegate to a small FastCGI or WSGI slow-tarpit script that embeds the daily canary.

## 5 -- Verification, Attribution, and Maintenance

1. Normal visitor: `curl -I -A "Mozilla/5.0..." https://example.com/` → fast 404 or content.
2. Aggressive bot: `curl -I -A "GPTBot/1.0" https://example.com/slow-tarpit/` → 200 with `X-Canary` header and slow body.
3. Log check: `tail -f /var/log/nginx/ai_slow.log`
4. Weekly rotation of canary namespace and UA list diff against Cloudflare Radar.
5. If a canary later appears in model output, the individual possesses verifiable proof of ingestion.

## 6 -- References

Derived from the primary dissertation Section 4.4 and the `slowloris-resource-exhaustion.md` technique paper. Randomization and canary strategy mirrors the decompression-bomb and malformed-content approaches for consistency across all active-denial layers.

*Companion to `known-aggressive-bot-user-agents.md`, `howto-decompression-bombs.md`, `howto-malformed-content-attacks.md`, and the primary dissertation. Legal review required before production deployment.*