DoS Mitigation Input queue congestion handling Under some dDoS attacks CPU is overloaded Input queue fills up Machine becomes unresponsive When input queue is full stop evaluating ruleset stateful packets are passed stateless packets dropped unconditionally Packets would have gotten dropped anyways Machine stays responsive