In software-defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN-Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN-Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN-Guard. The host of the fake SYN request is detected, and SYN-Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN-Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state-of-art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack. KEYWORDS denial of service, resource exhaustion, security, software-defined networking, SYN flooding Int J Commun Syst. 2019;32:e4061.wileyonlinelibrary.com/journal/dac