We propose an architecture that increases the resiliency against DDoS attacks by leveraging virtual network functions (VNF) and software defined networking (SDN). In the first step, the proposed architecture places the virtual network functions (VNF) optimally by solving a linear program. In the second step, in order to add preemptive protection against DDoS attacks, special filter VNFs and secondary paths passing through these filter VNFs are set up by solving another linear program. Under a DDoS attack, SDN controller switches the routes affected by the attack to the secondary paths for filtering DDoS traffic in order to prevent over-utilization. The simulation results show that the proposed architecture can absorb higher amount of DDoS traffic with low impact on the average hop count.