Many networks storing data, such as web applications, web pages, or other content, include traffic management computing devices that, among other functions, protect server devices storing the data from malicious attacks. One such set of attacks are denial of service (DoS) or distributed denial of service (DDoS) attacks (commonly referred to herein as DDoS attacks), although many other types of malicious attacks exist. DDoS attacks can be identified based on an increased volume of traffic received by traffic management computing devices that can impact the health of the server devices protected by the traffic management computing devices. In particular, certain Internet Protocol (IP) address can be identified as sources of relatively high volumes of network traffic, and mitigation actions can be initiated on those IP addresses.
However, current methods of identifying an attack condition are often unable to distinguish between a normal increase in network traffic volume and an increase in network traffic volume that is indicative of an attack. Additionally, volumetric methods for identifying certain attackers are not effective when multiple attackers are each placing a below average load on the network traffic management device(s) and/or server(s), but are together resulting in a DDoS attack. Accordingly, current methods often fail to accurately identify attackers, resulting in a relatively high number of false positives, resets of an increased number of good connections, and/or blocking of a relatively large amount of benign traffic.