Conventional flow-monitoring methods, such as sFlow, cannot detect low-rate HTTP GET Flooding denial of service (DoS) attacks, which are a threat even if the traffic rate is low. To solve this problem, we propose a method for detecting DoS attacks on the basis of the burst-state duration of traffic calculated using a quick packet-matching function of a general router such as TCAM. In addition, we prove that the burst-state duration is a good feature for distinguishing a normal user's traffic from a client to a server and low-rate HTTP-GET-Flooding attacker's traffic. Furthermore, we explain the results of an actual equipment evaluation carried out to evaluate the false-negative rate of our method and sFlow in an actual use case. The result shows that the proposed method is superior under the condition that the attack-traffic rate is low. The results also show that the proposed method can reliably detect such attacks under this condition.