Distributed Reflection Denial of Service (DRDoS) attack is one of the critical security threats. As the attack generates unidirectional traffic, it is not easy for the targets of the attack to protect themselves. To mitigate the attack, we need a defense mechanism installed at backbone networks, i.e., detecting and blocking the attack traffic before they reach to the destinations. A conventional approach is to monitor the traffic volume of the attack, i.e., an attack is detected if the observed traffic volume exceeds a certain threshold. However, such a simple approach may not work when an attacker adjusts the traffic volume to evade the detection. This paper proposes a novel method that can detect the DRDoS attacks accurately. The key idea is to leverage the characteristics of time intervals between the packets. We make use of the K-means clustering algorithm to find the best threshold values used to distinguish packets associated with DRDoS attacks. We implement the proposed algorithm into an equipment at a data center and demonstrate that our approach attains high accuracy
