Why are NginX and Lighttpd not affected by Slowloris?
Solution 1:
Apache has a theory of 'Maximum Clients'
That is the number of simultaneous connections it can handle. I.E. if an apache server has a 'max clients' limit of 100, and each request takes 1 second to complete, it can handle a maximum of 100 requests per second.
An application like SlowLoris will flood a server with connections, in our example if SlowLoris sends 200 connections per second, and Apache can only handle 100 connections per second the connection queue will keep getting bigger and use up all the memory on the machine bringing it to a hault. This is similar to the way Anonymous' LOIC works.
NGINX and Lighttpd (Among others) don't have a maximum connections, they use worker threads instead so, theoretically, there's no limit to the number of connections they can handle.
If you monitor your Apache connections, you'll see that the majority of the active connections are 'Sending' or 'Receiving' data from the client. In NGINX/Lighttpd they just ignore these requests and let them run on in the background, not using up system resources, and it only has to process connections with something going on (Parsing responses, reading data from backend servers etc.)
I actually answered a similar question this afternoon, so the information in there might also be interesting to you Reducing Apache request queuing
Solution 2:
Nginx is actually vulnerable to slowloris attack. Scarce resource is the maximum number of simultaneous worker connections. This number can be calculated as worker_connections * worker_processes and equals to 512 in default nginx configuration. So, it is quite easy to take down unprotected nginx with tools such as goloris.
Solution 3:
valyala's comment should be accepted as the answer.
Most nginx servers use default configs and therefore vulnerable to slowloris attack. I have used slowloris to take down some of my friend's nginx websites using only my laptop and usually it took less than 5 minutes (my friends challenged me to do so).
As valyala stated, technically, nginx is not vulnerable to slowloris, but the default configs limit the max number of connections, so when the connections exceed that number, nginx drops the new request, which results in a denial of service.
The known ways to protect nginx from slowloris include limiting the number of connections from the same IP, and increasing the worker_connections config. The attack can still works, but it gets harder (maybe taking more than 5 minutes? :D)