A software defined networking (SDN)-based distributed denial of service (DDoS) attack prevention method, an apparatus, and a system, where a controller delivers a traffic statistics collection instruction to a first packet forwarding device. The traffic statistics collection instruction instructs the first packet forwarding device to perform traffic statistics collection, and carries a destination Internet Protocol (IP) address. The controller collects statistical data reported by the first packet forwarding device, obtains, according to the statistical data, a statistical value of global traffic flowing to the destination IP address, and delivers a DDoS prevention policy to a second packet forwarding device based on a determining result that the statistical value of the global traffic exceeds the preset threshold. Correspondingly, the second packet forwarding device receives the DDoS prevention policy from the controller, and performs, according to the DDoS prevention policy, prevention process on the traffic flowing to the destination IP address.
展开▼
