Smart microgrids depend on continuous communication between controllers, sensors, and actuators over industrial protocols like Modbus TCP, MQTT, and DNP3, that were designed without built-in security mechanisms. The gateway that aggregates this traffic represents a single point of failure vulnerable to distributed denial-of-service (DDoS) attacks. Most existing detection methods require labeled attack data for training, a condition rarely met in operational OT environments. This paper presents an unsupervised CNN-LSTM model trained exclusively on normal microgrid gateway traffic to predict the next traffic window; anomalies are flagged when prediction error exceeds a threshold derived from the training distribution. A dual-branch architecture processes metric time-series through LSTM layers and flow aggregate features through CNN layers, fusing both representations for prediction. The model is evaluated against three protocol-specific DDoS attack scenarios, Modbus SCADA flooding, MQTT publish storm, and DNP3 response flooding - none of which are seen during training. Compared against an Isolation Forest baseline under identical unsupervised conditions, the CNN-LSTM achieves higher precision and recall on all attack types. The framework is deployed within a web-based monitoring platform that supports real-time detection and anomaly logging.