With the proliferation of services available on the Internet, network attacks have become one of the serious issues. The distributed denial of service (DDoS) attack is such a devastating attack, which poses an enormous threat to network communication and applications and easily disrupts services. To defense against DDoS attacks effectively, this paper proposes a novel DDoS attack detection method that trains detection models in an unsupervised learning manner using preprocessed and unlabeled normal network traffic data, which can not only avoid the impact of unbalanced training data on the detection model performance but also detect unknown attacks. Specifically, the proposed method firstly uses Balanced Iterative Reducing and Clustering Using Hierarchies algorithm (BIRCH) to pre-cluster the normal network traffic data, and then explores auto-encoder (AE) to build the detection model in an unsupervised manner based on the cluster subsets. In order to verify the performance of our method, we perform experiments on benchmark network intrusion detection datasets KDDCUP99 and UNSWNB15. The results show that, compared with the state-of-the-art DDoS detection models that used supervised learning and unsupervised learning, our proposed method achieves better performance in terms of detection accuracy rate and false positive rate (FPR).