Software-defined networking (SDN) is a promising network paradigm for future Internet. The centralized controller and simplified switches replace the traditional complex forwarding devices, and make network management convenient. However, the switches in SDN currently have limited ternary content addressable memory (TCAM) to store specific routing rules from the controller. This bottleneck provokes cyber attacks to overload the switches. Despite existing some countermeasures for such attacks, they are proposed based on simplified attack patterns. In this paper, we review the table-overflow attack using a sophisticated attack pattern. In the attack pattern, attack flows are targeted at their middle hops instead of endpoints. We first define potential targets in the network topology, and then we propose three specific traffic features and a monitoring mechanism to detect and locate the attackers. Further, we propose a mitigation mechanism to limit the attack rate using the token bucket model. With the control of token add rate and bucket capacity, it avoids the table overflow on the victim switch. Extensive simulations in different types of topologies and experiments in our testbed are provided to show the performance of our proposal