A method of detecting and mitigating a denial of service attack is described. The method comprises monitoring incoming first traffic packets, building a first Benford distribution of the first traffic packets, the first Benford distribution corresponding to network behaviour associated with normal traffic, and detecting a denial of service attack associated with incoming second traffic packets. After detecting the denial of service attack, the method involves sorting the incoming second traffic packets according to a characteristic of the incoming second traffic packets to create a Zipf distribution, building a second Benford distribution of the second traffic packets using the Zipf distribution and the first Benford distribution, discarding incoming second traffic packets that are not consistent with the second Benford distribution, and allowing incoming second traffic packets that are consistent with the second Benford distribution.