Method, device and equipment of identifying attack flow in software defined network

Disclosed are a method, device and equipment of identifying an attack flow in a software defined network, the software defined network comprising a switch and a controller; the switch stores an illegal flow filtering table, the method of identifying an attack flow comprising the following steps: the switch receives data packets of a data flow, and searches for a status field of a filtering table entry corresponding to the data flow in the illegal flow filtering table according to a feature value of the data packet; when the status field is a suspected attack flow state or a non-attack flow state, the switch sends a report message to the controller; the switch determines the rate value of sending the report message to the controller, filling the rate field of the filtering table entry with the rate value; when the rate value is greater than a preset rate threshold, then the switch modifies the status field of the filtering table entry as an attack flow state. The solution prevents a broadcast storm caused by an attack flow and reduces the waste of switch resources and controller resources.