Because it exploits a vulnerability in the web server(which was purposely made by the authors for different advantages like serving requests for a slow connection ) which wait for a complete header to be received.
Apache & some other web server's have a mechanism of timeout. An Apache web server will wait for this specified timeout duration for the completion of a request( if the request was incomplete ).
This timeout value is by default 300 seconds, but is modifiable. This timeout value is very much useful if a website serve's large files for download through http(because it maintains an active http connection of a slow client without breaking the download).
Another important fact to note here is that the timeout counter is reset every time the client sends some more data( so the timeout count will start again from 1 ).
But imagine a situation if somebody purposely send partial http requests and reset the timeout counter of each request by sending some bogus data very frequently.
That's exactly what slowloris does. It sends partial http request with bogus header's. Once all connections are consumed by sending partial requests, it keeps on maintaining the connection's by sending request data and reseting the timout counter.
A complete GET request looks like something below.
CRLF stands for CR (Carriage Return) and LF (Line Feed). This character is an entity which is non printable, used to denote end of the line.
Even when you are typing on a text editor the editor puts a CRLF at the end of a line when you want a new line after that.
And two CRLF characters together is used to denote a blank line.
In the above shown GET request there are two CRLF characters at the end of the "Connection"header(which means a blank line). In http protocol, a blank line after the header's is used to represent the completion of the header.
Slowloris tool takes advantage of this in implementing its attack. It does not send a finishing blank line, which indicates the end of the http header.
Some web server's give higher priority to those requests which are complete in its header's. This is the reason why IIS is not affected by a slowloris attack.
An incomplete request send by the slowloris script is shown below. This below snippet is taken from the slowloris script
In the above snippet shown \r\nis used to denote carriage return and newline in perl. Two consecutive "\r\n\r\n", should be there to denote a blank line, which is not there. So thats an incomplete header in HTTP.
Slowloris perl script http dos attack and its usage
Slowloris is mostly not noticed by IDS(Intrusion Detection system's), because it does not send a malformed request, but a legitimate request to the web server. Hence it bypasses most of the IDS system's out there.
slowloris works by the principle of consuming all available http connections on the server. Hence it takes time if its a high traffic web site, and are already connected by a number of clients. Because in that case slowloris needs to wait, for http connections to become available(because other clients are connected to it and are being served)
An important funny thing with slowloris attack is that, as soon as the attacker stops running the script, the website will become back online. Because the connections will automatically be closed by the webserver after some time(after the timeout interval).
How to prevent/protect/mitigate a slowloris attack?
1. Use Hardware Load Balencers that accepts only full http connections.
Using hardware load balencer's with an http profile configured will be the best method to stop such an attack.
Because the loadbalencer will inspect the packet's and will forward only those http request to the web server which are complete.
If you are using a F5 based BIG-IP Load Balencer i recommend reading the below link for mitigating slowloris attacks.