The present invention provides an attack detection method and device. The method is applied to a WAF (Web Application Firewall) device. The method includes the following steps that: after a request message from a terminal device is received, the request message is detected; when the request message is confirmed as an attack message, the request message is discarded; when the request message is confirmed as an undetermined request message, the destination port number of the request message is modified into a preset re-detection port number, and then, the request message is sent to a server, so that the server can detect the request message, and when the request message is confirmed as an attack message, the request message is discarded; and when the request message is confirmed as a legal message, the request message is sent to the server. With the attack detection method and device provided by the technical schemes of the invention adopted, the processing bottleneck of the WAF device can be broken through, and the recognition accuracy of attack messages can be improved.