The Mission
At cloud.ng, security isn't just a feature; it's a necessity. I was tasked with deploying a secure Nextcloud instance and building a custom Anomaly Detection Engine to protect it from DDoS attacks and suspicious traffic.
The Architecture
I deployed Nextcloud and Nginx using Docker. Nginx acts as the gatekeeper, logging every request in JSON format. My detection engine, built in Python, monitors these logs in real-time to identify and block threats before they reach the application.
The Brain: How it Works
The engine uses two core mathematical concepts to separate real users from bots:
- The Sliding Window To keep the tool lightweight and responsive, I implemented a Sliding Window using Python's collections.deque. The engine only remembers the last 60 seconds of traffic. As new requests come in, old timestamps are "evicted." This ensures the tool reacts to sudden spikes in the moment, rather than being biased by old data.
- The Rolling Baseline & Z-Score Instead of using a "static" limit (like 100 hits), the engine learns what "normal" looks like. Mean & Standard Deviation: Every 60 seconds, the tool recalculates the average traffic rate. Z-Score (The Weirdness Meter): If an IP's request rate is 3x the standard deviation from the mean, itβs flagged as an anomaly. This allows the system to adapt to busy times while still catching attackers. The Execution: Automatic Banning When an anomaly is detected: Blocker: The engine communicates directly with the Linux firewall (iptables) to DROP all traffic from the malicious IP. Slack Alerts: My team gets an instant notification on Slack with the IP, the rate, and the Z-score. The Jailer: An automated "Unbanner" manages a backoff schedule, releasing IPs after 10m, 30m, or 2h to ensure legitimate users eventually get back in. The Result I built a Live Metrics Dashboard (on Port 5000) that shows system health and active bans. This project proves that you don't need expensive enterprise tools to build robust, automated security.
Top comments (0)