Distributed denial of service (DDoS) attacks are ever threatening to the developers and users of the Internet. DDoS attacks targeted at the application layer are especially difficult to be detected since they mimic the legitimate users' requests. The situation becomes more serious when they occur during ash events. A more sophisticated algorithm is required to detect such attacks during a ash crowd. A few existing works make use of ow similarity for differentiating ash crowds and DDoS, but ow characteristics alone cannot be used for effective detection. In this paper, we propose a novel mechanism for discriminating DDoS and ash crowds based on the combination of the parameters reflecting their behavioral differences. Flow similarity, client legitimacy, and web page requested are identified as the principal parameters and are used together for effective discrimination. The proposed mechanism is implemented on resilient proxies in order to protect the server from direct flooding and to improve the overall performance. The real datasets are used for simulation, and the results are presented to evaluate the performance of the proposed system. The results show that the proposed mechanism does effective detection with fewer false positives and false negatives. ©2016 Tübitak.