This article focuses on the justification of the timing characteristics of devices using a static window flow control mechanism for protection against denial of service (DoS) attacks. The main focus is on a particular type of DoS attack, like flood and hit-and-run attacks. An attack of that kind can be performed using the black-box approach with a minimal piece of knowledge about the internals of the attacked system. The methods of tropical algebra (min-plus algebra) are used to compute the timing characteristics of the device with static window flow control.