A system and a method are disclosed for determining malicious web requests. The system processes incoming web requests to determine whether a request matches predetermined patterns of suspicious requests. The systems stores associations between patterns of suspicious requests, parts of the web request where each pattern occurs, and attack type associated with the pattern. If the system determines that an incoming web request matches a pattern of a suspicious request, the system determines whether to forward the request to the web server for processing or to hold the request. The system locks out a source of request for a period of time if the source sends requests that match certain attack patterns.