Some embodiments provide a method for securing a managed forwarding element (MFE) that operates within a data compute node (DCN) executing in a host machine. The method receives, from the MFE, a message to increase a local counter value by a first number when the MFE sends the first number of packets to a network interface controller (NIC). The method receives, from the NIC, a second number that indicates a total number of packets that the NIC has received from the MFE. The method compares the received second number with the local counter value after increasing the local counter value by the first number. The method determines that the DCN is under a malicious attack when the local counter value does not match the second number.