A technique to mitigate low rate Denial-of-Service (DoS) attacks at routers in the Internet is described. In phase 1, necessary flow information from the packets traversing through the router is stored in fast memory; and in phase 2, stored flow information is periodically moved to slow memory from the fast memory for further analysis. The system detects a sudden increase in the traffic load of expired flows within a short period. In a network without low rate DoS attacks, the traffic load of all the expired flows is less than certain thresholds which are derived from real Internet traffic analysis. The system can also include a filtering solution to drop attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit.