A method and apparatus for protecting, from denial of service attacks, a device that provides particular services that consume substantial computational resources. A data packet includes data for the particular services and a cryptographic tag. It is determined whether the data packet is legitimate based on the cryptographic tag and a size of the data for the particular services without otherwise using the data for the particular services. If the data packet is not legitimate, then the data is diverted from input to the particular services that process the data. These techniques use the cryptographic tag to provide strong data origin authentication without the heavy computational costs associated with providing full data integrity authentication in typical cryptographic services. Further, denial of service protection is conveniently implemented as a cryptographic service.