HTTP flood attacks mimicking normal access behavior are difficult to discovered, it consumes web server’s resources and brings hidden danger on information security, a method of proactive defense against HTTP floods is provided. Rewrite URL to record CookieId and SessionId of HTTP requests into Web log; analysis Web log at regular time, identify user according CookieId and SessionId, indentify puppet computers using request time characteristic; process HTTP requests in advance to keep out the requests from the puppet computers. This method is low cost and easy to implement, practice proved its validity.