The invention discloses a breeding-based DDoS malicious code detection and tracing method, and relates to the technical field of network security. The method specifically comprises the steps that firstly, existing DDoS malicious codes or suspicious files under a Linux system serve as samples to be detected to be bred for a long time; constructing a Docker mirror image of the Linux system, runningthe Docker mirror image into each virtual environment of each server to form a container, successfully starting each container, storing running information into a database, and configuring a monitoring program of each container; then, putting each to-be-detected sample into a respective corresponding container, and carrying out multi-dimensional monitoring on the behavior of the to-be-detected sample by utilizing a monitoring program; and judging whether all traffic of each sample exceeds a DDoS attack traffic threshold, and if so, calling a DDoS event analysis function to cut off a discoveredDDoS attack event, comprehensively analyzing, tracking and tracing, and positioning an IP of a botnet main control end. Otherwise, the to-be-detected sample is a safe sample and is not processed. Themaster control end of the puppet machine can be effectively tracked.