rsnake's done it again!  He developed a DoS which utilized HTTP on a multithreaded webserver, like Apache, not IIS.  He says it is possible to DoS a website with just one computer and 1,000 packets because of the way the attack occurs.

More information, including Apache's laize faire response is here, http://ha.ckers.org/blog/20090617/slowloris-http-dos/ with the details here, http://ha.ckers.org/slowloris/.

Talk amongst yourselves...

You can change the default Apache settings to limit the connections. Not sure about firewalls.

EDIT---

RSnake says:
@All, we have now gone through and tested every single recommendation Apache has made on that page - even the scary experimental one that says it may take down your server in the process of it’s use, and none of them stopped Slowloris. I think we can finally move on from that part of the discussion.

I'm not sure how easy it would be to write an IDS signature for this, as the time span that you would have to track the session through could make your IDS sad.  Basically what the application appears to be doing, is taking advantage of the fact that most people protect their apache (or other web server instances) by limited the number of forks/threads to ensure that the box doesn't run out of memory.  When web servers run out of memory, things turn ugly, so this tool takes advantage of that, and if the limit is not imposed, the box will probably just run out of memory anyway, taking down the whole thing anyway. 

It appears to be doing this by opening up connections, sending a valid request, without sending the trailing new line that tells the web server "YO, GIMME DATA!".  By omitting that final new line, the connection remains open while the webserver waits for you to finish asking the question. Sure, it will eventually timeout, but if you send it another small header like "X-happy: 4"  it will start the wait again.  As this isn't written to the log file until the request has been made, until something bad happens, there won't be any logs indicating what is going on.  A netstat will reveal the problem, and as a complete connection is required, it is easy to block the attacker, but it isn't a flood enough  of traffic to make most folks go WOH! 

I could be wrong, but that's how I read it.

I am not great at grep, but it seems that a grep expression could be written to detect input without a new line character.   If a grep expression can be written, than a Snort signature can be created.  What do you guys think?

It seems to be that this would be something Apache should address.   They would just have to time out the connection, even if it is technically incomplete.  I am sure there are complications with this approach, especially with long running connections, like file transfer.