I just saw this video on slow loris attacks (https://youtu.be/XiFkyR35v2Y).
So my question is: why even bother with creating a botnet for a ddos attack?

Because people use connection limiting to make it ineffective from a single ip.

But yes it's an interesting attack.

That hits Apache hardest, and it becomes increasingly common for hosters not to expose apache directly, but put it behind an NGinx reverse proxy. Usually for speed reasons with static assets, but it helps also for this scenario.

@NotWhoIUsedToBe Connection limits per IP would run into CGNAT with mobile connections, wouldn't they?