[wetha]

This, if done maliciously, is a valid DOS attack vector known as Slowloris/SlowPost attacks.

I know it’s easier said than done, but there should be active mitigation in place, rather than only monitoring.

[NetStrikeForce]

Slowloris is HTTP-based, right? In this case I'm not sure they didn't even have to go up to that layer 7, it seems they had some generous time-outs for TCP and SSL idle (or incomplete) sessions