The symptoms point directly to a Slowloris attack, which CEH materials classify as an application-layer denial-of-service technique that targets web servers by exhausting their available concurrent connection slots rather than saturating bandwidth. In a Slowloris attack, the attacker opens many HTTP or HTTPS connections to the server and then keeps them alive as long as possible by sending partial, incomplete HTTP requests or very slow header transmissions at timed intervals. Because the requests are never fully completed, the server keeps the connections open, waiting for the remainder of the request. Over time, the server’s maximum connection limit is consumed, and legitimate users cannot establish new sessions, even though overall network traffic may remain relatively low.

That exact pattern is described in the scenario: the server is “struggling to accept new connections,” the “maximum connection limit is nearly reached,” and there is “no significant spike in overall network traffic.” This is a classic indicator of low-and-slow DoS behavior, which can be harder to detect because it does not resemble a high-volume flood.

A SYN Flood attack can also exhaust connection resources, but it typically creates a large number of half-open TCP connections and is usually more apparent in network-level telemetry and SYN backlog behavior. A UDP Flood generally causes a noticeable traffic spike. “Peer-to-Peer Attack” describes a botnet architecture style, not the specific technique used here. Therefore, the attack being simulated is Slowloris.