This application discloses a distributed denial of service attack detection method. The method includes: obtaining a data stream sent to a protection object device in each detection period, obtaining total duration of each data stream; dividing each data stream into a long data stream or a short data stream based on the total duration of each data stream; adding, based on a detection period through which the long data stream goes, total data traffic of the long data stream to statistical traffic; adding data traffic of a short data stream in each detection period to the data traffic, of the long data stream, that is added to a corresponding detection period, to determine statistical traffic in each detection period; and if there is a detection period in which the statistical traffic exceeds a preset traffic threshold, determining that the protection object device undergoes a DDoS attack in the detection period.