After some embodiments, the present invention discloses a method and a device for detecting scan attacks. The present invention parses the received message information and records the information of the destination port or the IP address in the message information; then the times, for which the destination port or the IP address are recorded in a scheduled time, are counted; and finally when the recorded times of the destination port or the IP address reach a predetermined threshold, then the present invention judges that a scan attack occurs. The device of the present invention comprises a first unit, which parses the received message information and records the destination port or the IP address, a second unit, which is used to count the times for which the destination port or the IP address are recorded in a scheduled time, and a third unit, which is used to judge that a scan attack occurs when the recorded times of the destination port or the IP address reach a predetermined threshold. In every technical scheme of embodiment, the present invention effectively detects scan attacks according to the times of the port or protocol attack in a scheduled time, thus reducing the false alarm rate and the realization difficulty of scan detection.