The work that we present in this paper is motivated by a systematic vulnerability of SDN, a current technology that is expected to dominate the Internet. In particular, we focus on the Control Plane Saturation (CPS) attack, a very harmful, yet easy to implement, DoS attack. In CPS, the adversary generates a massive amount of flow packets that will not match switches' flow rules. As a result, the switches flood the control channels and the controller with malicious control packets. Previously proposed solutions mainly rely on the controller-side detection and filtering, thus still consume the control plane bandwidth resources and cannot achieve quick response due to the switch-controller delay.We present INFAS, a system that runs on commodity servers installed near network devices, for protecting SDN against CPS. The switches send flow packets that do not match concrete flow rules in their flow tables to INFAS, which is tasked to analyze the packets and to subsequently decide on sending them back to the switches or not. This results in reducing the number of generated control packets by up to 80%, which we show through extensive evaluations.