A distributed denial-of-service (DDoS) attack is a cyber-attack in which multiple attackers send out a huge number of requests to exhaust the capacity of a server, so that it can no longer serve incoming requests. In this paper, we propose a mechanism to protect against DDoS attacks originated within a datacenter. Our system is composed of two parts: flow monitoring and traffic filtering. In flow monitoring, we formulate two problems: one for finding flow assignments to monitors and another for selecting best locations of monitors. The first problem considers that the locations of monitors are predefined by the cloud provider and we provide an optimal solution. The second problem considers that the locations of monitors are not predetermined and there is a limit on the number of monitors. We propose a greedy solution for the second problem. The traffic filtering is trivial, as the DDoS flow can be blocked from the hypervisor of the source virtual machine. We present simulation results that strengthen support for our solutions.