Distributed denial of service attacks pose an immense threat to the internet. In this work the effect of TCP SYN flood attacks on traffic features are examined. Using traffic features and correlation coefficient matrix and anomaly vector obtained from these features; a network health function is calculated. Applying a threshold to network health function gives alarms that are used to detect beginning and end points of TCP SYN flood attacks. This method is tested using data obtained from experiments of DETER testbed.