A system and computer-implemented method to detect a slowloris-type network attack, wherein the method includes receiving data gathered by a server of a network over time, the data received including data about timing of requests from a plurality of clients received by the server, tracking the data about timing of requests over time, determining one or more characteristics about distribution of the data tracked, tracking the one or more characteristics to determine whether there is an increase in time for reading, by the server, a larger portion of requests tracked, identifying a change in the characteristics that indicates the presence of a slowloris-type network attack, and performing an action, in response to the change, to at least one of generate an alert about the slowloris-type network attack, request mitigation of the slowloris-type network attack, and mitigate the slowloris-type network attack.