Packet injection attacks are a primary threat to software-defined enterprise networks, for which continuous connectivity and real-time network functioning are two essential requirements. They are a form of denial-of-service attacks, and their main effect is network performance degradation up to total breakdown. In this paper, we show how such an attack can effectively be detected and mitigated at the entrance gateway switch of the software-defined enterprise network without sacrificing the basic functionality and performance of the networks control mechanisms. We describe an effective protection of the network’s core controller as well as a significant reduction of rule-space overhead compared to a state-of-the-art technique.