Slowloris works by sending partial HTTP headers slowly — one byte every few seconds — keeping connections open indefinitely. CE enforces a hard 100ms timeout for the complete HTTP request line. After 100ms of waiting for headers, the connection is forcibly closed and the socket recycled. Your "slow drip" connections last exactly 100ms each. You're not holding anything — you're just making 10 connections per second that all die instantly.

Traditional Slowloris kills Apache because Apache has a fixed thread pool (default: 256 workers). Once you hold all 256 connections, new requests queue up until the server appears down. CE uses an async event-loop architecture (epoll/io_uring) with O(1) per-connection overhead. It can handle 10 million concurrent connections on a single 8-core server. Your maximum botnet can open ~100,000 connections simultaneously. That's 1% of capacity.

CE's ML traffic classifier specifically recognizes Slowloris behavioral patterns: connections that send exactly 1-3 bytes of headers then pause, repeat every 15-20 seconds. This is as distinctive as a shouting "I AM A SLOWLORIS ATTACK." The classifier flags these connections and begins rate-limiting them within 200ms. After 5 flagged connections from one IP, the IP is blocked for 24 hours.

Even if Slowloris somehow saturated one CE node (it can't), the load balancer health-checks all nodes every 100ms. An overloaded node gets marked unhealthy and removed from rotation within 100ms. New nodes spin up in 3 seconds via auto-scaling. Your attack would need to simultaneously saturate all 47,239 nodes AND prevent new ones from spinning up. Congratulations, you've discovered why Kubernetes exists.