Aiming at the problem that Distributed Denial of Service (DDoS) attacks are difficult to detect and defend before the damage is generated, a Control Real-time Defense Mechanism (CRDM) based on Software Defined Network (SDN) for malicious scanning was proposed. Firstly, the advantages of the SDN over the traditional network in the network layer protection technology were analyzed. Secondly, according to the network attack-malicious scanning, a CRDM for defending against malicious scanning was proposed. In CRDM, Representational State Transfer (REST) APIs (Application Program Interfaces) provided by the OpenDayLight (ODL) were used to build an external application to achieve detection, determination and prevention on the switch port. Finally, CRDM was implemented on the ODL platform, and the detection and defense scheme of malicious scanning was tested. The simulation results show that:when a port is scanning the network maliciously, CRDM can disable the port in time, and protect against malicious scanning attacks in real-time. Then, the destructive behavior in a DDoS attack is prevented before it is started.