Different from other research work focusing on network-wide traffic, the traffic we focus on for analysis is that of a traffic state viewed from a router¿s interior. In this paper, at first, a kind of Port-to-Port traffic in a router is introduced, which we call IF flow. IF flows can amplify the ratio of attack traffic to normal traffic. Then RLS (recursive least square) filter is used to predict IF flows. After that, a statistical method using residual filtered process is proposed to detect anomalies. Finally we respectively apply the method to three types of traffics: IF flows, input links and output links within a router, and compare the anomaly detection results using ROC curves. Results show that IF flows are more powerful than input links and output links in DDoS attacks detection.