DEV Community: Boluwaji Dare The latest articles on DEV Community by Boluwaji Dare (@dbolup). https://dev.to/dbolup https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3904130%2F63ae8d01-1672-4543-94c0-a16c770d4d8a.png DEV Community: Boluwaji Dare https://dev.to/dbolup en How I Built a Real-Time DDoS Detection Engine from Scratch (No Libraries Cheat Sheet!) Boluwaji Dare Wed, 29 Apr 2026 11:08:02 +0000 https://dev.to/dbolup/how-i-built-a-real-time-ddos-detection-engine-from-scratch-no-libraries-cheat-sheet-4ec7 https://dev.to/dbolup/how-i-built-a-real-time-ddos-detection-engine-from-scratch-no-libraries-cheat-sheet-4ec7 <p>Imagine you run a website. Everything is working fine, users are logging in, uploading files, and going about their day. Then suddenly, one bad actor decides to flood your server with thousands of requests per second. Your server slows down, legitimate users can't get in, and your business grinds to a halt. This is called a DDoS attack (Distributed Denial of Service), and it happens to companies of all sizes every single day.<br> In this post, I'll walk you through how I built a tool that watches all incoming traffic in real time, learns what "normal" looks like, and automatically blocks attackers all without using any rate-limiting libraries, just pure Python logic.</p> <p>By the end of this post, you'll understand:</p> <ul> <li>How traffic is monitored in real time</li> <li>What a sliding window is and why it matters</li> <li>How the system learns a "normal" baseline</li> <li>How anomaly detection makes a decision</li> <li>How iptables blocks an attacker at the network level</li> </ul> <p>Let's dive in!</p> <p>What I Built<br> Here's the big picture of the system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Internet Traffic ↓ Nginx (reverse proxy) ↓ writes JSON logs ↓ Our Detector Daemon ←── runs 24/7 ↓ ↓ ↓ Block IP Slack Alert Dashboard (iptables) (webhook) (website) </code></pre> </div> <p>The stack has four moving parts:<br> Nginx sits in front of the application and writes every single HTTP request to a log file in JSON format — things like the source IP, the URL, the status code, and the timestamp.</p> <p>Nextcloud is the actual web application users interact with. I don't touch it.<br> Our Detector is a Python daemon — a program that runs forever in the background. It reads the Nginx log file line by line, tracks request rates, computes a baseline, and fires an alert when something looks wrong.<br> The Dashboard is a simple web page that shows live stats, banned IPs, request rates, top talkers, and CPU usage, refreshing every 3 seconds.</p> <p><strong>Part 1: Reading the Log File in Real Time</strong><br> The first challenge was: how do you read a file that is constantly being written to?<br> Think of it like reading a book while someone else is adding new pages at the end. You need to keep your finger on the last page and check for new content every fraction of a second.<br> This technique is called tailing a file — like the Unix tail -f command. Here's how I did it in Python:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">filepath</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">filepath</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="c1"># Jump to the end of the file first </span> <span class="c1"># so I only read NEW lines going forward </span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span><span class="p">:</span> <span class="k">yield</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="c1"># give the line to whoever called us </span> <span class="k">else</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="c1"># no new line yet, wait a moment </span></code></pre> </div> <p>The key trick here is f.seek(0, 2) — this jumps the reading cursor to the very end of the file. That way I don't re-process old traffic from before the daemon started.<br> Every new line is a JSON object that looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">json</span><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YYYY-MM-DDT09:53:21+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>I parse this with Python's built-in json.loads() to extract the IP address, status code, and other fields.</p> <p><strong>Part 2: The Sliding Window: Tracking Request Rates</strong><br> Now that I'm reading requests in real time, I need to answer the question: how many requests has this IP sent in the last 60 seconds?<br> A naive approach would be to count requests per minute. But that has a problem — if an attacker sends 1000 requests at 00:59 and another 1000 at 01:01, a per-minute counter would only ever see 1000 at a time, never the full burst.<br> A sliding window solves this. Instead of fixed time buckets, I track a moving 60-second window that always ends at "right now."<br> Here's how it works using Python's deque (a double-ended queue — you can efficiently add to one end and remove from the other):</p> <p>python<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># One deque per IP — stores timestamps of each request </span><span class="n">ip_windows</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">def</span> <span class="nf">record_request</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="mi">60</span> <span class="c1"># 60 seconds ago </span> <span class="k">if</span> <span class="n">ip</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ip_windows</span><span class="p">:</span> <span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># Add this request's timestamp </span> <span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># Remove timestamps older than 60 seconds from the LEFT side </span> <span class="k">while</span> <span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="ow">and</span> <span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">].</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># How many requests in the last 60 seconds? </span> <span class="n">count</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">])</span> <span class="n">rate</span> <span class="o">=</span> <span class="n">count</span> <span class="o">/</span> <span class="mi">60</span> <span class="c1"># requests per second </span> <span class="k">return</span> <span class="n">rate</span> </code></pre> </div> <p>Why deque? Because removing old entries from the left end of a deque is O(1) — instant — whereas doing the same with a regular Python list would be O(n) — slow for large lists.<br> Eviction logic: Every time a new request comes in, I check the leftmost (oldest) timestamp. If it's older than 60 seconds, I pop it off. I keep doing this until all remaining timestamps are within the window. This means the deque always contains only the last 60 seconds of activity.<br> I maintain two of these windows in parallel:</p> <p>One per IP — to detect a single aggressive attacker<br> One global — to detect a flood from many different IPs at once</p> <p><strong>Part 3: The Rolling Baseline</strong> <br> Learning What Normal Looks Like: Knowing the current rate isn't enough. I need to know whether that rate is unusual. A server that normally handles 100 requests per second shouldn't be alarmed by 80, but a server that normally handles 2 requests per second absolutely should be alarmed by 80.</p> <p>This is why I built a rolling baseline, a statistical picture of what normal traffic looks like over the past 30 minutes.<br> Here's the approach:</p> <p>python<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">math</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="c1"># Rolling window stores (timestamp, per_second_count) tuples </span><span class="n">window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="n">current_second</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="n">current_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">def</span> <span class="nf">record_request</span><span class="p">():</span> <span class="k">global</span> <span class="n">current_second</span><span class="p">,</span> <span class="n">current_count</span> <span class="n">now</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="k">if</span> <span class="n">now</span> <span class="o">!=</span> <span class="n">current_second</span><span class="p">:</span> <span class="c1"># Save the completed second into the rolling window </span> <span class="n">window</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">current_second</span><span class="p">,</span> <span class="n">current_count</span><span class="p">))</span> <span class="c1"># Evict entries older than 30 minutes </span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="p">(</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span> <span class="k">while</span> <span class="n">window</span> <span class="ow">and</span> <span class="n">window</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="n">current_second</span> <span class="o">=</span> <span class="n">now</span> <span class="n">current_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">current_count</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">def</span> <span class="nf">recalculate_baseline</span><span class="p">():</span> <span class="c1"># Extract just the counts </span> <span class="n">data</span> <span class="o">=</span> <span class="p">[</span><span class="n">count</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">window</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># not enough data yet </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">data</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="k">return</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> </code></pre> </div> <p>I recalculate this every 60 seconds. The result is two numbers:</p> <p>mean — the average requests per second over the last 30 minutes<br> stddev — how much the traffic normally varies</p> <p>I also apply floor values — minimum values of 0.5 for mean and 0.3 for stddev. This prevents false positives when traffic is near zero (a single request would look like a massive spike if mean is 0.001).<br> I also maintain per-hour slots — separate baselines for each hour of the day. This way, if your server is always busier at 9am than at 3am, the system knows that and doesn't panic during the morning rush.</p> <p><strong>Part 4: Anomaly Detection: Making the Decision</strong><br> Now I have two things:</p> <p>The current rate for an IP (from the sliding window)<br> The baseline mean and stddev (from the rolling window)</p> <p>I use these to calculate a z-score — a standard statistical measure of how far something is from normal, measured in standard deviations:<br> z-score = (current_rate - baseline_mean) / baseline_stddev<br> For example, if baseline mean is 2 req/s, stddev is 0.5, and an IP is sending 10 req/s:<br> z-score = (10 - 2) / 0.5 = 16<br> A z-score of 16 is extremely abnormal. I flag anything above 2.0 as suspicious.<br> I also have a second check on a rate multiplier. If the current rate is more than 3× the baseline mean, it's flagged regardless of z-score. This catches attacks that happen to have a low z-score because of high variance in the baseline.<br> Whichever check fires first wins:</p> <p>python<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_anomaly</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">baseline_mean</span><span class="p">,</span> <span class="n">baseline_stddev</span><span class="p">):</span> <span class="n">zscore</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">-</span> <span class="n">baseline_mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">baseline_stddev</span> <span class="k">if</span> <span class="n">zscore</span> <span class="o">&gt;</span> <span class="mf">2.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">z-score=</span><span class="si">{</span><span class="n">zscore</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> rate=</span><span class="si">{</span><span class="n">ip_rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">/s</span><span class="sh">"</span> <span class="k">if</span> <span class="n">ip_rate</span> <span class="o">&gt;</span> <span class="n">baseline_mean</span> <span class="o">*</span> <span class="mf">3.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">rate=</span><span class="si">{</span><span class="n">ip_rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">/s is 3x baseline</span><span class="sh">"</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">""</span> </code></pre> </div> <p>I also have an error surge feature. If an IP's 4xx/5xx error rate is 3× the normal error rate, I tighten its detection thresholds automatically — because legitimate users don't usually generate lots of errors.</p> <p><strong>Part 5: Blocking with iptables</strong><br> Once I decide an IP is malicious, I need to block it at the network level, before it even reaches our application. I use iptables for this.<br> Iptables is Linux's built-in firewall. It inspects every network packet and decides what to do with it based on rules you define.<br> To block an IP:<br> bashiptables -I INPUT -s 192.168.1.100 -j DROP<br> This tells the kernel: "For any incoming packet from 192.168.1.100, DROP it — don't even acknowledge it."<br> I call this from Python using subprocess:</p> <p>python<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">ban_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Banned </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">To</span> <span class="n">unban</span><span class="p">:</span> <span class="n">pythondef</span> <span class="nf">unban_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-D</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unbanned </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>I use -I (insert) to add at the top of the chain so it takes effect immediately, and -D (delete) to remove it when the ban expires.</p> <p><strong>Part 6: Auto-Unban with Backoff Schedule</strong><br> I don't ban IPs forever on the first offence. I use a backoff schedule:<br> OffenceBan Duration1st10 minutes2nd30 minutes3rd2 hours4th+Permanent<br> A background thread checks every 30 seconds whether any ban has expired and releases it automatically, sending a Slack notification each time.</p> <p>Part 7: Slack Alerts<br> Every ban and unban sends a message to a Slack channel via webhook. A webhook is just a URL you POST a JSON message to:</p> <p>python<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span><span class="p">,</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">send_alert</span><span class="p">(</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">message</span><span class="p">):</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="n">webhook_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">message</span><span class="p">}),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p>A ban alert looks like this in Slack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🚨 IP BANNED IP: 0.0.0.0 Condition: z-score=16.20 rate=8.33/s Baseline mean: 0.50 req/s Ban duration: 10 min Time: 2026-04-29 09:53:21 </code></pre> </div> <p><strong>Part 8: The Live Dashboard</strong><br> The dashboard is a simple Flask web app that renders an HTML page with live stats and refreshes every 3 seconds using an HTML meta refresh tag. It shows banned IPs, global request rate, top 10 source IPs, CPU and memory usage, baseline mean and stddev, and uptime.</p> <p>Lessons Learned</p> <ol> <li><p>Hardcoded thresholds don't work. Early versions had fixed numbers like "block anything above 100 req/s." This caused false positives during normal traffic spikes and missed attacks during high-traffic periods. The rolling baseline fixed this.</p></li> <li><p>The sliding window must use timestamps, not counters. A simple per-minute counter misses burst attacks that span minute boundaries. Storing actual timestamps in a deque and evicting by time gives accurate real-time rates.</p></li> <li><p>iptables needs root. The detector container must run as root and have the NET_ADMIN capability to execute iptables commands. This is a necessary tradeoff for network-level blocking.</p></li> <li><p>Floor values matter. Without minimum baseline values, any traffic on a quiet server looks like an attack. Setting a floor of 0.5 req/s mean, and 0.3 stddev prevents false alarms during low-traffic periods.</p></li> </ol> <p>Conclusion<br> Building this taught me that security tooling doesn't have to be magic. At its core, anomaly detection is just statistics — mean, standard deviation, and z-scores applied to real-time data streams. The sliding window gives you accurate rate measurements. The rolling baseline gives you context. And iptables gives you the power to act.<br> The full source code is available at: <a href="https://github.com/Dbolup/hng-stage3-devops" rel="noopener noreferrer"></a><br> The live dashboard is running at: <a href="http://dareboluwaji.duckdns.org:8080/" rel="noopener noreferrer"></a></p> python security showdev tutorial