An extended hidden semi-Markov model is proposed to model web browsing behavior for detecting application layer distributed denial of service (DDoS) attacks. The model describes user browsing behaviors with a large state space. To reduce computational costs, a novel forward algorithm is derived for online implementation based on the M-algorithm. The model fits user HTTP request sequences, and entropy is used as a metric to measure normality and detect anomalies indicating potential attacks. Experiments validated the proposed model and algorithm.