The present disclosure provides a method and a device for simulating and detecting DDoS Attacks in software defined networking. The method comprises: adding zombie hosts in a preset linear increasing mode and an incremental mode, and launching stealthy DDoS Attacks on a data plane to a preset target switch in a software defined networking through all zombie hosts; synchronously updating a pre-built attack flow monitoring table on a controller of the networking according to updating of flow tables on all switches; periodically detecting the monitoring table to determine whether the monitoring table includes a monitoring table entry having existence duration over a preset duration threshold; and determining that a network flow corresponding to the monitoring table entry is a stealthy attack flow on the data plane of the networking when the monitoring table includes the monitoring table entry having the existence duration over the preset duration threshold.