How I Built a Real-Time DDoS Detection Engine for Nextcloud

Tifestorm — Wed, 29 Apr 2026 07:13:46 +0000

What This Project Does and Why It Matters

Imagine you run a cloud storage service used by thousands of people. One day, a hacker starts sending millions of requests per second to your server, crashing it for everyone. This is called a DDoS (Distributed Denial of Service) attack.

I built an anomaly detection engine that watches all incoming traffic in real time, learns what normal looks like, and automatically blocks attackers before they can cause damage.

How the Sliding Window Works

A sliding window is like a moving snapshot of recent traffic. I used Python's deque (double-ended queue) data structure to track request timestamps over the last 60 seconds.

from collections import deque
import time

ip_window = deque()

def record_request(ip):
    now = time.time()
    ip_window.append(now)
    # Remove timestamps older than 60 seconds
    while ip_window and ip_window[0] < now - 60:
        ip_window.popleft()

def get_rate():
    return len(ip_window) / 60  # requests per second

Every time a request comes in, we add the timestamp. Old timestamps (older than 60 seconds) are removed from the left. The rate is simply the number of remaining timestamps divided by 60.

How the Baseline Learns from Traffic

The baseline is how the system learns what "normal" looks like. Every second, we record how many requests came in. Every 60 seconds, we calculate the mean and standard deviation of the last 30 minutes of data.

Mean = average requests per second
Standard deviation = how much the traffic varies

We store baselines per hour, so the system adapts to morning traffic vs evening traffic automatically.

Floor values prevent false positives during quiet periods:

Minimum mean: 1.0 req/s
Minimum stddev: 0.5

How the Detection Logic Makes a Decision

We use a z-score to decide if traffic is anomalous:

z-score = (current_rate - baseline_mean) / baseline_stddev

If the z-score exceeds 3.0, it means the current rate is 3 standard deviations above normal — statistically very unlikely to happen by chance.

We also check if the rate is more than 5x the baseline mean. Whichever threshold fires first triggers a ban.

If an IP has a high error rate (4xx/5xx responses), we tighten the threshold to 2.1 to catch more subtle attacks.

How iptables Blocks an IP

When an attack is detected, we use iptables — Linux's built-in firewall — to drop all packets from the attacking IP:

import subprocess

def ban(ip):
    subprocess.run(['iptables', '-I', 'INPUT', '-s', ip, '-j', 'DROP'])

The -I INPUT inserts a rule at the top of the INPUT chain. -s specifies the source IP. -j DROP silently drops all packets from that IP.

Bans are temporary with a backoff schedule: 10 minutes → 30 minutes → 2 hours → permanent. This gives legitimate users a chance to get unbanned if they were falsely flagged.

Conclusion

Building this tool taught me how real security systems work — not just blocking known bad actors, but learning from traffic patterns and adapting automatically. The combination of sliding windows, statistical baselines, and iptables makes a powerful and lightweight DDoS protection system.

GitHub: https://github.com/goodnessoladipo17-rgb/hng-stage3
Live Dashboard: http://13.53.37.195:8080

DEV Community: Tifestorm