The widespread use of resource-constrained Internet of Things (IoT) devices has expanded the attack surface for networks, particularly making them more vulnerable to Distributed Denial of Service (DDoS) attacks. Due to weak security, these devices can be exploited to form botnets that overwhelm networks with traffic or consume network resources, disrupting legitimate operations. This paper presents DDoShield, a twostage defense framework designed for real-time detection and attribution of various types of DDoS attacks, including flooding attacks and those exploiting vulnerabilities in protocols. Leveraging advancements in programmable networks, DDoShield detects malicious DDoS traffic and classifies these flows at the network controller, allowing for timely and accurate updates to the data plane’s defense mechanisms. Using the CICIoT2023 dataset, we implement a lightweight Decision Tree-based model in the data plane, achieving 80-99% accuracy in detecting DDoS traffic. The classification of the malicious flows is offloaded to the control plane, where a ResNet classifier demonstrates over 96% accuracy for DDoS attacks driven by flooding and transport layer vulnerabilities, though slightly lower accuracy (75-83%) for attacks exploiting application layer vulnerabilities. Compared to traditional intrusion detection systems, DDoShield reduces malicious packet detection delay by 3 milliseconds and significantly lowers bandwidth overhead, with a 20% increase in switch memory usage as a trade-off.