This document proposes a defense framework called STREAM to defend against stream-based distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANETs). STREAM works by continuously monitoring network traffic patterns between clustered nodes, comparing the real-time patterns to expected patterns, and detecting anomalies that could indicate a DDoS attack. When an attack is detected, STREAM generates alerts and filters illegitimate traffic while minimizing impacts on legitimate traffic. The framework forms node clusters to evaluate traffic patterns based on source and uses both offline and online detection methods to identify attacks.