Distributed reflection denial of service (DrDoS) attacks are a prevalent and troublesome form of DDoS attack. Fake service requests trigger a flood of services responses, typically in large packet sizes, that are sent to targeted hosts via public servers. As public servers are legitimate, and their services are necessary for targeted hosts, DrDoS attacks cannot be effectively blocked through firewalls or most solutions to DDoS floods. This paper leverages the software-defined networking (SDN) technique and proposes an efficient countermeasure with NAPT and two-stage detection (EC-NTD) scheme to safeguard against DrDoS attacks, where NAPT refers to network address port translation. We consider that attack sources (i.e., botnet members that send fake requests to public servers) may be outside or inside an SDN-based network where DrDoS targeted hosts reside. To guard against external attacks, filtering rules and NAPT are used in gateways to distinguish normal responses from those caused by attacks. To recognize internal attacks, the controller detects anomalies in the quantity of requests and their source IP addresses. Additionally, the adaptive adjustment of the attack detection period length helps alleviate the controller’s load while maintaining effective defense. Simulation results reveal that the EC-NTD scheme can efficiently safeguard against DrDoS attacks with different services.