The approach of detecting the beginning of a DDoS attack by statistical methods, taking into account seasonality, is considered. The standard setting of limits on the number of requests associated with the occurrence of random triggers and various load of the web resource, depending on the time of day and days of the week, has a number of disadvantages. To optimize the process, it is proposed to use a floating estimate characterizing the current network activity based on the standard deviation (RMS), as well as taking into account seasonal fluctuations. A k-means clustering method for distributing client requests is proposed. The algorithm selects two clusters from mixed traffic. The first is a set of legitimate requests, the second is a set of malicious requests. The introduction of the proposed technique into the protection system, which takes into account the seasonality of DDoS attacks for various types of infrastructure objects, can increase the efficiency of detecting such attacks without increasing resource intensity