Malicious activity, such as and without limitation spamming, denial of service attacks, hacking, or the like, is of significant concern to online service providers and users. Currently, malicious activity is typically detected based on a level of activity, which is typically monitored using level of activity counters. By way of some non-limiting examples, level of activity counters can be used to monitor user actions, abusive actions, action per network address, or the like, each of which has a ceiling value which when hit results in a block of the activity. Presently, a centralized approach is used to maintain and share level of activity counters. This approach requires that the centralized level of activity counters be maintained in a centralized store (e.g., centralized database server), which receives counter updates from servers and distributes the updated counters to the servers. This approach lacks scalability and introduces latency, particularly when there is a high number of counters and/or a high volume of counter updates. The problems associated with the centralized approach are especially problematic when distributed attacks, e.g., attacks across multiple data centers, need to be addressed and prevented. While partitioning and/or replication may be used with the centralized approach, this approach also suffers from scalability and latency issues, especially when there is a high number of counters and/or a high volume of counter updates.