a plurality of server computers each adapted to receive an event and to create an event packet in response to the event;

a cluster host adapted to receive a plurality of event packets from at least a portion of the plurality of server computers and to update a master screening table in response to the plurality of event packets,

wherein the cluster host is further adapted to communicate a local screening table comprising at least a portion of the master screening table to each of the plurality of server computers, and each of the plurality of server computers is adapted to:

receive the local screening table from the cluster host;

receive an event requesting a service;

create an event identification associated with the event;

select a table entry from a plurality of table entries in the local screening table as a selected table entry, wherein the selected table entry advances cyclically through the local screening table, and the selected table entry advances to a next entry of the local screening table in response to the event identification not being present in the local screening table;

increment a first count value associated with a first table entry of the plurality of table entries in the local screening table in response to the event identification matching an event identification associated with the first table entry;

decrement a second count value associated with the selected table entry of the plurality of table entries in response to the event identification not being present in the local screening table;

replace the selected table entry with the event identification associated with the received event in response to the second count value equaling a predetermined value; and

determine a metric value for the event from the local screening table, the metric value indicating that the event is an abusive request.