Introduction
As a beginner stepping into DevOps and cybersecurity, I wanted to build something practical and impactful — not just theory.
So I built a real-time DDoS detection and mitigation system that:
- Monitors live traffic from Nginx logs
- Detects suspicious spikes using statistics
- Automatically blocks attacking IPs
- Sends alerts to Slack
- Displays everything on a live dashboard
In this post, I’ll walk you through exactly how it works — in a simple, beginner-friendly way.
What Problem Am I Solving?
A DDoS (Distributed Denial of Service) attack happens when a server gets flooded with too many requests.
This can:
- Slow down your app
- Crash your server
- Make your service unavailable
My solution:
Build a system that can detect abnormal traffic and stop it automatically
Project Architecture
Here’s what I used:
Nginx → Handles incoming traffic
Nextcloud → Sample app (target)
Python daemon → Detects attacks
Docker Compose → Runs everything
Slack Webhook → Sends alerts
Dashboard UI → Shows live metrics
Step 1: Monitoring Nginx Logs
Nginx logs every request like this:
127.0.0.1 - - [timestamp] "GET /index.html" 200
My system:
- Reads logs in real-time
- Extracts:
- IP address
- Timestamp
- Status code Here's the link to how I implemented that here
Step 2: Sliding Window (Core Idea)
To detect attacks, I track requests over time using a sliding window.
Think of it like this:
“How many requests happened in the last 60 seconds?”
I used Python’s deque to:
- Add new requests
- Remove old ones automatically
Step 3: Building a Baseline
Instead of guessing what’s “too much traffic”, I calculate a baseline:
Track requests per second over 30 minutes
Compute:
Mean (average traffic)
Standard deviation
This helps answer:
“What does normal traffic look like?”
Here is how i implemented that here
Step 4: Detecting Anomalies
I detect attacks using two methods:
Z-score
If traffic is far above normal:
z-score > 3Spike detection
If traffic are:
> 5x the average
If either condition is true, it’s an attack
Here is how i implemented that here
Step 5: Blocking Attackers
When an IP is suspicious:
I block it using iptables
Example:
iptables -A INPUT -s <IP> -j DROP
Step 6: Auto-Unban System
Not every spike is an attack forever.
So I implemented a backoff unban system:
- 10 minutes
- 30 minutes
- 2 hours
- Permanent (if repeated) Here is how I implemented that here
Step 7: Slack Alerts
I used Slack webhooks to send alerts like the following:
- Global traffic spike
- IP blocked
- IP unbanned Here is how I implemented that here
Step 8: Live Dashboard
I built a simple dashboard that shows the following:
- Global requests per second
- Top 10 IPs
- Banned IPs
- CPU & memory usage
- Baseline stats
It refreshes every 3 seconds.
Here is how I implemented that here
Step 9: Dockerizing Everything
I used Docker Compose to run the following:
- Nginx
- Nextcloud
- Detector service
This made setup easy and reproducible.
Here is how i implemented that here
Challenges I Faced
- Secrets in GitHub GitHub blocked my push because of a Slack webhook.
Fix: Moved webhook to environment variables
- Container Not Starting My app kept crashing because of config. YAML was missing.
Fix: Added it to Docker image
- No Slack Alerts The container couldn’t access environment variables.
Fix: Passed variables via docker-compose. yml
What I Learned
- How real-time log monitoring works
- How to detect anomalies using statistics
- How to automate security responses
- How to use Docker in real projects
- Why never commit secrets
Final Thoughts
This project helped me move from the following:
“Just learning DevOps” → “Building real-world systems”
If you’re a beginner, I highly recommend building something like this.
Dashboard URL: http://52.203.164.199:5000/
GitHub Repo: https://github.com/George-Adaba/anomaly-detection-ddos.git
Top comments (0)