DEV Community: Blessing Bill The latest articles on DEV Community by Blessing Bill (@blessing_bill_abe78b8b2fc). https://dev.to/blessing_bill_abe78b8b2fc https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3904413%2F2d589273-6e1c-4834-8aad-40510ac55eeb.jpg DEV Community: Blessing Bill https://dev.to/blessing_bill_abe78b8b2fc en Building a DDoS Bouncer: Anomaly Detection with Python & Z-Score Blessing Bill Wed, 29 Apr 2026 21:49:56 +0000 https://dev.to/blessing_bill_abe78b8b2fc/building-a-ddos-bouncer-anomaly-detection-with-python-z-score-3ngk https://dev.to/blessing_bill_abe78b8b2fc/building-a-ddos-bouncer-anomaly-detection-with-python-z-score-3ngk <p>The Mission<br> At cloud.ng, security isn't just a feature; it's a necessity. I was tasked with deploying a secure Nextcloud instance and building a custom Anomaly Detection Engine to protect it from DDoS attacks and suspicious traffic.<br> The Architecture<br> I deployed Nextcloud and Nginx using Docker. Nginx acts as the gatekeeper, logging every request in JSON format. My detection engine, built in Python, monitors these logs in real-time to identify and block threats before they reach the application.<br> The Brain: How it Works<br> The engine uses two core mathematical concepts to separate real users from bots:</p> <ol> <li>The Sliding Window To keep the tool lightweight and responsive, I implemented a Sliding Window using Python's collections.deque. The engine only remembers the last 60 seconds of traffic. As new requests come in, old timestamps are "evicted." This ensures the tool reacts to sudden spikes in the moment, rather than being biased by old data.</li> <li>The Rolling Baseline &amp; Z-Score Instead of using a "static" limit (like 100 hits), the engine learns what "normal" looks like. Mean &amp; Standard Deviation: Every 60 seconds, the tool recalculates the average traffic rate. Z-Score (The Weirdness Meter): If an IP's request rate is 3x the standard deviation from the mean, it’s flagged as an anomaly. This allows the system to adapt to busy times while still catching attackers. The Execution: Automatic Banning When an anomaly is detected: Blocker: The engine communicates directly with the Linux firewall (iptables) to DROP all traffic from the malicious IP. Slack Alerts: My team gets an instant notification on Slack with the IP, the rate, and the Z-score. The Jailer: An automated "Unbanner" manages a backoff schedule, releasing IPs after 10m, 30m, or 2h to ensure legitimate users eventually get back in. The Result I built a Live Metrics Dashboard (on Port 5000) that shows system health and active bans. This project proves that you don't need expensive enterprise tools to build robust, automated security.</li> </ol> algorithms cybersecurity python security