A server receives a SYN packet and generates a SYN packet signature from the SYN packet. The server generates multiple aggregate signatures for the SYN packet signature that each include a generalized value for at least one element, where each aggregate signature has a different level of specificity and corresponds with a different fingerprint table. The server sequentially iterates through the fingerprint tables starting with the most specific aggregate signature and the most specific fingerprint table until a match exceeding a counter threshold is found, if any. If an aggregate signature does not match a fingerprint in a fingerprint table, the aggregate signature is added to that fingerprint table and an initial value for the counter is set. A bytecode using an attack fingerprint as input is generated in a form understandable by a network filter, and installed in a network filter.