The HTTP flooding attack is the hardest type of DDoS attacks to detect since the malicious packets are hidden in the huge amount of normal traffic. Most detection schemes available up to now use similarity method of communication attributes (i.e. fixed threshold for every attribute ) or machine learning algorithms.it is notable,however,that attributes number very dramatically according to the users activity. Also, using machine learning need a large amount of data for training.In this paper, we introduce a new detection scheme for HTTP flooding attack that exhausting servers. the proposed detection scheme is based on HTTP request/raspons protocol.During normal cases, any server can measure various statistical attributes for its users and their traffic. a server can keep the statistical attributes as a reference profile. during the attack time, measuring some attributes for every connection (i.e. Request number, Response number, Not finished connections number, Number of TCP packets, Number of UDP packets and Number of ICMP packets) then computes distance between its attributes and statistical attributes in normal cases. the proposed detection scheme uses small amount of data to specify the score for a normal connection, also it does not take into consideration a fixed threshold for every attribute in normal connections. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection rate, probability of false positive and also average detection time.