At least some incoming traffic is distributed into a first set of traffic groups according to a first grouping scheme. Communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped. Potentially malicious communication activity is detected in the given traffic group. Traffic in the given traffic group is processed using a first traffic processing mode associated with potentially malicious communication activity, in which at least some traffic that is distributed into the given traffic group is discarded. In response to a dynamic trigger the grouping scheme is altered to one or more further grouping schemes in order that the communication activity from the acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.