DEV Community

Doris Okereke
Doris Okereke

Posted on

How I Built an Anomaly Detection Engine for DDoS Protection

#webdev #devops #womenintech #hng14

What This Project Does and Why It Matters

Imagine you run a website. Normally 10 people visit per minute. Suddenly 500 people flood in at once; that could be a DDoS attack trying to crash your site. This project is like a security guard that watches your traffic, learns what "normal" looks like, and automatically blocks attackers.

I built this for a Nextcloud server (like Google Drive but self-hosted) using Go programming language.

How the Sliding Window Works

Think of a sliding window like a moving 60-second bucket. Every new request drops into the right side. Requests older than 60 seconds fall out the left side. At any moment, you know exactly how many requests came in the last 60 seconds; without storing everything forever.

I maintain two of these windows:

  • One per IP address (to catch single attackers)
  • One globally (to catch distributed attacks)

How the Baseline Learns from Traffic

The baseline is the system's memory of "normal." Every second I record how many requests came in. After 30 minutes I have 1800 data points. Every 60 seconds I calculate:

  • Mean (average requests per second)
  • Standard deviation (how much it varies)

I also keep separate baselines per hour of day, because traffic at 2am looks different from traffic at 2pm.

How the Detection Logic Makes a Decision

Two tests run on every request:

Test 1-Z-Score: How many standard deviations above normal is this rate?
z = (current_rate - mean) / stddev
If z > 3.0, something is very wrong.

Test 2 - Rate Multiplier: Is this IP sending more than 5x the normal rate?
If yes, block immediately.

If an IP is also generating lots of errors (4xx/5xx responses), thresholds tighten automatically.

How iptables Blocks an IP

iptables is Linux's built-in firewall. When I detect an attack, I run:
iptables -I INPUT -s <attacker_IP> -j DROP

This tells the Linux kernel to silently drop ALL packets from that IP — they never even reach the web server. The ban lifts automatically: first after 10 minutes, then 30 minutes, then 2 hours, then permanently.

GitHub Repo

https://github.com/dorisjenny27/hng-stage3-devops

Dashboard

http://35.232.253.197:9090

Top comments (0)