Abstract: According to the characteristics of DoS/DDoS attack, a defense model adopting data-mining technology is proposed. Based on real-time sample traffic, this model extracts trusted IP list by association analysis to filter, and evaluates packets' danger degree by adopting bayes algorithm. This model makes up disadvantages of traditional filtering based on trusted source IP, and effectively differentiates normal traffic and abnormal traffic. Experimental datum proves this model can launch real-time and effective defense against DoS/DDoS attack.