DDoS (Distributed Denial of Service) attack is one of the most used DoS (Denial of Service) attack. It is a distributed attack in which an attacker uses a multitude of compromised computers to attack a single target. Those compromised computers that actually execute the attack are called botnet. To hide their identity, the attacker usually uses a third-party server to control and send attack command to bots, this kind of server is called C&C (command & control) server. The detection of C&C sessions is a strong proof of botnet detection and early detection of DDoS attacks as C&C connections occur before a DDoS attack. Network traffic analysis is an effective method to detect C&C sessions as it is hard to avoid encrypting the payload or change command code. We consider a new feature vector with 55 features, and use a random forest algorithm to build the classifier. Random forest is an ensemble of classifiers that can deal with high-dimension problems. In fact, it can also calculate the importance of features that will help us find the key features responsible for the detection of C&C sessions. Experimental results show that our approach has better performance on C&C session detection.