A system, method and computer program for detecting and restricting remotely controlled distributed denial of service software. This detection is based upon characteristic patterns seen in denial of service software. These patterns are monitored for at the generating source of the attack. When detected, the software application attempting a distributed denial of service is blocked from transmitting any packets to a target web server. Therefore, this system, method a computer program stops distributed denial of service attacks before a web site can be overwhelmed by such an attack.