The present invention efficiently detects various DDoS attacks for large scale Internet with the temporal correlation of traffic flows on the two directions of a single link, the spatial correlation of DDoS attack traffic at different locations and powerful machine learning algorithms. With these techniques, the present invention effectively detects and identifies attack sources without modifying existing IP forwarding mechanisms and without a global upgrade to Internet backbone routers. More importantly, the present invention can detect synchronized DDoS attacks even if the volume of attack traffic is extremely small at the location that is close to the attack source.