Hi abra.
normal traffic uses TCP and attacker traffic uses UDP.
because almost traffics in the internet are HTTP ,FTP, Email and ... that all of them
use TCP protocol. DoS attacker send a lot of udp packets to victim. because UDP do not have congestion control mechanism.
if you want to differentiate the two types of traffics , then you follow :
1) detect translation protocol.
2) get or calculate rate of senders and compare with normal rate.
3) check link buffer to find or prevent congestion.