From e-commerce to command-and-control to situational awareness, organizations increasingly depend on web servers for mission-critical functionality. Distributed denial-of-service (DDoS) attacks put that functionality at risk. DDoS attacks pose an asymmetric threat; attackers with minimal resources can impact well-provisioned systems, and current best-of-breed commercial systems cannot counter zero-day algorithmic DDoS attacks. The NNBC Firewall is a practical DDoS solution. Operating on its own it can defend a site against both algorithmic and volumetric application-level DoS attacks. When used in conjunction with a commercial overlay network that provides a black list API, the NNBC can defeat bandwidth-consuming volumetric attacks. Central to the NNBC Firewall is the NEMESIS Non-Bayesian Classifier (NNBC), a sequential decision maker that uses temporal correlation between web requests and DoS events to classify clients as attacker vs. non-attacker. This allows the firewall to defend the web site against volumetric and algorithmic DoS attacks, including zero-day attacks that cannot be detected.