The invention provides a network attack tracing method and device. The method comprises the following steps: when an attack event reported by security equipment in a network is received, acquiring anattack log which is generated by the security equipment and corresponds to the attack event, and extracting network address information of an attack source and an attack target in the attack log basedon streaming computation, storing the network address information in a memory, and then matching the network address information of the attack source and the attack target with a basic information database pre-established in the memory to obtain network position information of the attack source and the attack target; and finally, a network attack path diagram can be quickly generated according tothe network position information of the attack source and the attack target, and the whole network attack topology can be accurately restored in real time, so that a user can quickly alarm and repairattacked network assets and user terminals, and corresponding loss is reduced.