Using the OpenFlow protocol, the virtual network technology SDN (Software Defined Network) is now widely used. In recent years, the number of DDoS attacks has been increasing year by year. To detect DDoS attacks in SDN, data recorded in the flow table in OpenFlow switch is analyzed and various detection methods are submitted. However, SDN centrally manages communication within the network, when detecting DDoS (Distributed Denial of Service) attacks. This creates a heavy processing load, and the processing load of the OpenFlow controller must be considered. In this paper, in order to reduce the processing load of the controller, we do not collect data of the flow table, extract three features from the Packet In message for communication between the controller and the switch, and perform real-time attack detection. Furthermore, to avoid stringent detection time intervals, triggers will be added before detection to realize light and dynamic DDoS attacks detection.