A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc. Traffic from suspicious sources is directed by the load balancer to one or more specially-configured attack-assessment container(s) where a ‘dummy’ web server operates. The behaviour of these sources is analysed by a behaviour monitoring function over some time to determine if they are legitimate or malicious, which can control a firewall to block addresses identified as generating malicious traffic.