The invention discloses a DDoS attack traffic identification and detection method under an SDN. The method comprises the following steps: S1, collecting flow table information; S2, calculating a traffic characteristic value with DDoS attack characteristics according to the traffic table information, and converting the traffic characteristic value into characteristic vector data; s3, utilizing the characteristic vector data to construct a random forest model, adopting the constructed random forest model to screen the traffic characteristics with little effect of identifying the DDoS attack, and obtaining an optimal characteristic subset; S4, converting the optimal feature subset into a feature vector Fnew, measuring the feature vector Fnew and the Mahalanobis distance of each node in the feature mode graph, if a node having the nearest Mahalanobis distance with the feature vector Fnew exists, determining that the feature mode corresponding to the node is the category of the feature vector Fnew, and if the category is a benign category, determining that the traffic is normal; otherwise, determining that the traffic is the DDoS attack traffic.