How I Built a Real-Time DDoS Detection System with Python, Docker, and Nginx (Beginner-Friendly Guide)

George-Adaba — Wed, 29 Apr 2026 21:14:23 +0000

👋 Introduction

As a beginner stepping into DevOps and cybersecurity, I wanted to build something practical and impactful — not just theory.

So I built a real-time DDoS detection and mitigation system that:

Monitors live traffic from Nginx logs
Detects suspicious spikes using statistics
Automatically blocks attacking IPs
Sends alerts to Slack
Displays everything on a live dashboard

In this post, I’ll walk you through exactly how it works — in a simple, beginner-friendly way.

🧠 What Problem Am I Solving?

A DDoS (Distributed Denial of Service) attack happens when a server gets flooded with too many requests.

This can:

Slow down your app
Crash your server
Make your service unavailable

👉 My solution:
Build a system that can detect abnormal traffic and stop it automatically

🏗️ Project Architecture

Here’s what I used:

Nginx → Handles incoming traffic
Nextcloud → Sample app (target)
Python daemon → Detects attacks
Docker Compose → Runs everything
Slack Webhook → Sends alerts
Dashboard UI → Shows live metrics
🔍 Step 1: Monitoring Nginx Logs

Nginx logs every request like this:

127.0.0.1 - - [timestamp] "GET /index.html" 200

My system:

Reads logs in real-time
Extracts:
IP address
Timestamp
Status code
⏱️ Step 2: Sliding Window (Core Idea)

To detect attacks, I track requests over time using a sliding window.

Think of it like:

“How many requests happened in the last 60 seconds?”

I used Python’s deque to:

Add new requests
Remove old ones automatically
📊 Step 3: Building a Baseline

Instead of guessing what’s “too much traffic”, I calculate a baseline:

Track requests per second over 30 minutes
Compute:
Mean (average traffic)
Standard deviation

This helps answer:

“What does normal traffic look like?”

🚨 Step 4: Detecting Anomalies

I detect attacks using two methods:

Z-score

If traffic is far above normal:

z-score > 3

Spike detection

If traffic is:

5x the average

👉 If either condition is true → it’s an attack

🔥 Step 5: Blocking Attackers

When an IP is suspicious:

I block it using iptables
Example:
iptables -A INPUT -s -j DROP
🔄 Step 6: Auto-Unban System

Not every spike is an attack forever.

So I implemented a backoff unban system:

10 minutes
30 minutes
2 hours
Permanent (if repeated)
🔔 Step 7: Slack Alerts

I used Slack webhooks to send alerts like:

🚨 Global traffic spike
🚨 IP blocked
✅ IP unbanned
📊 Step 8: Live Dashboard

I built a simple dashboard that shows:

Global requests per second
Top 10 IPs
Banned IPs
CPU & memory usage
Baseline stats

It refreshes every 3 seconds.

🐳 Step 9: Dockerizing Everything

I used Docker Compose to run:

Nginx
Nextcloud
Detector service

This made setup easy and reproducible.

⚠️ Challenges I Faced

Secrets in GitHub

GitHub blocked my push because of a Slack webhook.

👉 Fix:

Moved webhook to environment variables

Container Not Starting

My app kept crashing because config.yaml was missing.

👉 Fix:

Added it to Docker image

No Slack Alerts

The container couldn’t access environment variables.

👉 Fix:

Passed variables via docker-compose.yml
🎯 What I Learned
How real-time log monitoring works
How to detect anomalies using statistics
How to automate security responses
How to use Docker in real projects
Why never to commit secrets
🚀 Final Thoughts

This project helped me move from:

“Just learning DevOps” → “Building real-world systems”

If you’re a beginner, I highly recommend building something like this.

Dashboard URL http://52.203.164.199:5000/
Github Repo https://github.com/George-Adaba/anomaly-detection-ddos.git

DEV Community: George-Adaba

How I Built a Real-Time DDoS Detection System with Python, Docker, and Nginx (Beginner-Friendly Guide)