Attack source tracking method and device for anomalous network traffic

The invention provides an attack source tracking method and an attack source tracking device for anomalous network traffic. The method comprises the following steps of: selecting any one or more network nodes from network nodes of an attack link as (a) tracking starting point(s), wherein the attack link is a communication link between an attacked object and an attack source; and determining upper-level network nodes in the attack link level by level according to the tracking starting points until a final attack source is determined. By the technical scheme, the problem that a network attack can be relieved but a source (namely the attack source) of the attack cannot be positioned by a network security mechanism in related technologies is solved, and the effect of reversely tracking and positioning the attack source further can be achieved.