AppLICATION DoS

Application DoS attacks: These attacks send traffic that looks like legitimate application traffic. For example, they send Web requests to a Web server, or send likes to a social network server. Their traffic looks almost or exactly like traffic a legitimate client would send.

Analogy: you're waiting for an important letter and someone is sending you bunch of envelopes, with empty sheets inside, which clog your mailbox. You can see after you've opened each envelope that this is junk mail, but you cannot see before you open it, and the postman cannot tell either. You cannot "filter" this unwanted mail before it is placed into your mailbox, and you cannot process it quickly. Thus you're stuck doing useless work and you run the risk of missing your important letter.

Slowloris attack: Connects to a Web server, but instead of sending a short request it sends a very long one very slowly (think of the Sloth talking in Zootopia).

Resource exhausted: sockets. Each server has a limited number of sockets (usually in thousands). These sockets are a way for applications to connect to the network and receive traffic. When a client sends traffic to the server, the server opens one of these sockets, listens to the full request, and then provides some reply. If many requests are Slowloris requests (take long time to say what service is needed), this ties up many sockets. Legitimate client requests then have no free socket to use and have to be dropped.

Analogy: Many Sloth-like clients talking slowly at different teller windows in a bank. Legitimate clients want to withdraw money but all windows are taken and there is no waiting space. Clients have to leave.