The Internet of Things brings convenience and security and opens up new generations. Such products as smart refrigerators, wearable devices, and network monitors, etc., have been popularized in various households, thus generating a large amount of data. But the consequent lacks are becoming more and more obvious. With the prelude of the Internet of Things era, cyber attacks are becoming more and more common. This can be attributed to insufficient password security for IoT devices, which results in malware specifically targeting the IoT environment being able to use brute force to obtain passwords and malware attacks make the IoT device a zombie. Therefore, with the increase of IoT devices, DDoS is also serious and widespread. Most of the current theses use an Intrusion-detection system (IDS) or a firewall to detect attack traffic and defend against attacks. However, this method is not suitable for use in a high-speed network environment. When faced with a heavy backbone network, IDS will not be able to detect packets and cause undetected attack packets to reach the destination host. IDS uses rules to identify attacks. It cannot be prevented in the face of unknown attacks. It can only wait until the unknown attack is resolved by the professional, and then add rules to the IDS to block the attack. The time required between these is calculated in units of days, and the attack has already achieved its purpose and spread the virus more widely. This thesis proposes to set up a honeypot on the Openflow switch to collect attack traffic, and use machine learning to identify the abnormality. In this way, unknown attacks can be found and prevented without affecting network speed. By effectively using the Flow table feature, we match the headers to defend against attack traffic, rather than blocking all traffic from the attacker. Using Flow Table to defend against attacks in the IoT environment can not only support larger traffic through SDN, but also reduce network congestion caused by traffic-type attacks. The experimental results confirm that Flow table has a better capture rate than IDS in the face of DDoS high traffic and short packet attacks. In blocking attack traffic, the difference between normal traffic and attack traffic can be identified without blocking all traffic of the attacker. We propose to set up Honeypot on the Openflow switch to collect attack traffic. Compared with the existing literature, we can find unknown attacks and complete anomaly detection without delaying the network.