is the average number
of new requests admitted per second and 
is the maximum number of
concurrent new requests. Incoming connections are aggregated using
specified filter rules that are based on the connection end points (source
and destination addresses and ports as shown in Table 2).
On arrival at the server, the SYN packet is classified using the IP/TCP
header information to determine the matching rule. A compliance check is
performed against the token bucket profile of the rule. If compliant, a
new data socket is created and inserted in the partial listen queue
otherwise the SYN packet is silently discarded.
When the SYN packet is silently dropped, the requesting client will
time-out waiting for a SYN ACK and retry again with an exponentially
increasing time-out value
. An alternate option, which we
do not consider, is to send a TCP RST to reset the connection
indicating an abort from the server. This approach, however, incurs unnecessary extra
overhead. Secondly, some clients send
a new SYN immediately after a TCP RST is received instead of
aborting the connection.
Note that we drop non-compliant SYNs even 
a socket is created
for the new connection thereby investing only a small amount of
overhead on requests that are dropped.
To provide service differentiation, connection requests are aggregated based on filters and each aggregate has a separate token bucket profile. Filtering based on client IP addresses is useful since a few domains account for a significant portion of a web server's requests [12]. The rate and burst values are enforced only when overload is detected and can be dynamically controlled by an adaptation agent, the details of which are beyond the scope of this paper.