An apparatus and method to detect a denial of service attack on an internet server by a hacker or malevolent software while effectively distinguishing an attack from a spike in demand by legitimate users of the server. In preferred embodiments, the kernel's TCP implementation is modified to hold back sending a reset (RST) to terminate the connection and to make an entry into a dead connection list when a connection attempt is dropped off of an overflowing accept queue. The entries are removed from the dead connection list when they become stale or an ACK is received corresponding to the entry. Additional TCP kernel parameters include a monitor enable to turn on or off the DoS monitor, a monitor threshold to determine when to send an alarm, and a stale time that is a timeout value to determine when to remove entries from the dead connection list.