Flooding attacks, commonly called Denial of Service attacks, have recently been used with increasing frequency to target and disable servers on the Internet. A flooding attack occurs when a user sends a large number of requests to a server in a relatively short period of time with an intent to overload and thereby disable the server. A flood of packets from a malicious user can overload a server in the same way that a flood of packets from a misconfigured system can overload a server. But the end result is the same; the server becomes overloaded in trying to service the requests. This prevents legitimate requests from being timely served and often causes the server to crash. A number of flooding attacks have been reported recently on web targets at the FBI, the Whitehouse, and the genealogy website of the Church of Latter Day Saints. Flooding attacks are very difficult for traditional intrusion detection systems to detect or prevent because of the difficulty of determining whether the traffic is legitimate or not. An increase in activity alone is not a good criterion for detecting a flood; the use of this criterion could lead to many false detections. Another negative associated with using inbound activity as a method of detecting a flood is the high overhead associated with this detection method because the detection processing must occur in the mainline packet processing path. The source of an attack is also difficult to determine because attackers will normally use a spoofed source IP address so that address gives no true indication of the source of the attack.