Slow HTTP Denial of Service attack (DoS) is unpretentious but impressive effect in knocking down the opponent. The principle of the attack is quite simple however its detection is complicated. A criminal can open lots of connections to the server by initiating HTTP requests and keep them opening. There are many detections analysis and studies, however at slow DoS attack is still threatening and dangerous. In this paper, TCP/IP packet analyzed, and behavior based to detect Slow HTTP DoS attack is proposed.