In the traditional distributed control network, due to the difficulty in detection and the ambiguous defense responsibility, it is not efficient and effective to detect DDoS attacks in the network where they are launched, which is so-called source-based defense mechanism. However, with the development of cloud computing, Internet of Things (IoT), and mobile Internet, the number of terminals and the communication bandwidth in a single autonomous domain has increased significantly, providing much more favorable conditions for organizing large-scale botnets to launch a threatening DDoS attack. Therefore, there is a urgent need for source-based defense against DDoS attacks. The emerging Software-Defined Networking (SDN) provides some new ideas and advantages to solve this problem, such as centralized control and network programmability. In this paper, we proposed a defense method based on sFlow and an improved Self-Organizing Map (SOM) model in the SDN environment. This method combines a sFlowbased macro-detection, which could cover the entire network to perceive DDoS attacks, with a SOMbased micro-detection, which is used to recognize the attack traffic, and also provides a response strategy based on the global view given by the controller. The experimental results under open data and simulated attack scenarios have proved the effectiveness of the proposed method, and it has better overall detection performance than k-means and k-medoids.