DEV Community: Hezekiah Umoh The latest articles on DEV Community by Hezekiah Umoh (@hezekiah_umoh). https://dev.to/hezekiah_umoh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3875823%2Fbe07e4f3-136f-4324-beff-45cc88fe02d7.jpg DEV Community: Hezekiah Umoh https://dev.to/hezekiah_umoh en I Built a Tool That Builds My Infrastructure — Here's How It Went Hezekiah Umoh Tue, 05 May 2026 21:20:09 +0000 https://dev.to/hezekiah_umoh/i-built-a-tool-that-builds-my-infrastructure-heres-how-it-went-12om https://dev.to/hezekiah_umoh/i-built-a-tool-that-builds-my-infrastructure-heres-how-it-went-12om <h1> I Built a Tool That Builds My Infrastructure — Here's How It Went </h1> <p><em>A brutally honest account of building SwiftDeploy for the HNG14 Stage 4A DevOps challenge</em></p> <p>When I first read the Stage 4A task brief, one line jumped out at me:</p> <blockquote> <p>"Most DevOps tasks ask you to configure infrastructure manually — this one asks you to build the tool that does it for you."</p> </blockquote> <p>That single sentence changed how I approached the entire challenge. This wasn't about setting up servers or writing config files by hand. It was about building something that does all of that for you, from a single source of truth.</p> <p>This is the story of how I built <strong>SwiftDeploy</strong> — and every wall I hit along the way.</p> <h2> What Is SwiftDeploy? </h2> <p>SwiftDeploy is a declarative deployment CLI tool. You describe your entire infrastructure in a single <code>manifest.yaml</code> file, and the tool generates your Nginx config, Docker Compose file, manages your container lifecycle, and keeps your stack healthy.</p> <p>The stack consists of:</p> <ul> <li>A <strong>FastAPI</strong> Python service that runs in either <code>stable</code> or <code>canary</code> mode</li> <li>An <strong>Nginx</strong> reverse proxy that routes all traffic, logs every request, and returns JSON error responses</li> <li>A <strong>CLI tool</strong> written in Python with five subcommands: <code>init</code>, <code>validate</code>, <code>deploy</code>, <code>promote</code>, and <code>teardown</code> </li> <li>Everything generated from <strong>Jinja2 templates</strong> — no manually written config files allowed</li> </ul> <p>The grader would delete my generated files and re-run <code>swiftdeploy init</code> to verify everything regenerates correctly. If the tool broke, the stack broke. No shortcuts.</p> <h2> The Architecture </h2> <p>Before writing a single line of code, I mapped out how everything would connect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>manifest.yaml → swiftdeploy init → nginx.conf + docker-compose.yml ↓ docker-compose up ↓ [nginx:8080] → [app:3000] </code></pre> </div> <p>The <code>manifest.yaml</code> is the only file a human ever edits. Everything else is derived from it. That constraint is what makes the tool interesting — and what made debugging it so painful at times.</p> <h2> Building the API Service </h2> <p>The API service is a FastAPI application with three endpoints:</p> <p><strong>GET /</strong> returns a welcome message including the current mode, version, and server timestamp.</p> <p><strong>GET /healthz</strong> returns a liveness check with process uptime in seconds — used by Docker's health check system to determine if the container is ready to serve traffic.</p> <p><strong>POST /chaos</strong> is the interesting one. It's only active in canary mode and lets you simulate degraded behaviour: slow responses, random 500 errors, or a full recovery. This is the kind of endpoint that makes canary deployments genuinely useful — you can test how your system behaves under failure before rolling it out to everyone.</p> <p>Canary mode also adds an <code>X-Mode: canary</code> header to every response, so you can always tell which mode the service is running in just by inspecting the headers.</p> <h2> Building the CLI </h2> <p>The CLI is a single Python script with no external framework — just <code>argparse</code>-style argument handling, PyYAML for parsing the manifest, and Jinja2 for rendering templates.</p> <p>The five subcommands each have a clear responsibility:</p> <p><strong>init</strong> reads the manifest and renders both templates. Simple, fast, deterministic.</p> <p><strong>validate</strong> runs five pre-flight checks before anything is deployed. It checks that the manifest exists and is valid YAML, that all required fields are present, that the Docker image exists locally, that the Nginx port is free on the host, and that the generated nginx.conf passes a syntax check.</p> <p><strong>deploy</strong> chains init and validate together, then brings up the stack and blocks until health checks pass — or times out after 60 seconds.</p> <p><strong>promote</strong> is the most complex command. It updates the mode field in <code>manifest.yaml</code> in-place, regenerates <code>docker-compose.yml</code> with the new MODE environment variable, restarts only the app container (not nginx), and then confirms the new mode is active by hitting <code>/healthz</code>.</p> <p><strong>teardown</strong> brings everything down cleanly. With <code>--clean</code>, it also deletes the generated config files.</p> <h2> The Challenges — And There Were Many </h2> <p>I want to be honest here. This project did not go smoothly. Here is every wall I hit, in order.</p> <h3> The folder was named wrong </h3> <p>My templates folder was named <code>template</code> — without the <strong>s</strong>. The CLI was looking for <code>templates/nginx.conf.j2</code> and kept throwing a <code>TemplateNotFound</code> error. I spent more time than I'd like to admit staring at that error before noticing the missing letter.</p> <h3> The file was named wrong too </h3> <p>Once the folder name was fixed, the nginx config template was named <code>nginx.config.j2</code> instead of <code>nginx.conf.j2</code>. Config versus conf — four characters making the whole thing fail silently.</p> <h3> Windows doesn't have chmod </h3> <p>Running <code>chmod +x swiftdeploy</code> in PowerShell throws an error. On Windows, you just run <code>python swiftdeploy &lt;command&gt;</code> directly — no permissions needed. This caught me off guard because the instructions assumed a Linux environment.</p> <h3> The Dockerfile wasn't saving </h3> <p>This one was the most frustrating. I edited the Dockerfile in VSCode multiple times, but the changes weren't persisting. The tab showed unsaved changes that I kept missing. Every <code>docker build</code> was using the old version of the file, and <code>pip install</code> was installing nothing because the COPY paths were wrong.</p> <p>The fix was bypassing VSCode entirely and writing the file content directly from the PowerShell terminal using <code>Out-File</code>. Once the file was written programmatically, the builds started working correctly.</p> <h3> app/requirements.txt was empty </h3> <p>The <code>requirements.txt</code> inside the <code>app/</code> folder was created but had no content — completely empty. Because <code>pip install</code> on an empty file succeeds without error, the container built cleanly but had no packages installed. <code>fastapi</code> and <code>uvicorn</code> were both missing, and the container crashed on startup with <code>No module named uvicorn</code>.</p> <p>I only caught this by running <code>docker run --rm swift-deploy-1-node:latest pip list</code> and seeing nothing but <code>pip</code> in the output. The fix was writing the dependencies directly from the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="s2">"fastapi==0.111.0</span><span class="se">`n</span><span class="s2">uvicorn[standard]==0.29.0"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-File</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="nx">app\requirements.txt</span><span class="w"> </span><span class="nt">-Encoding</span><span class="w"> </span><span class="nx">utf8</span><span class="w"> </span></code></pre> </div> <h3> Docker kept caching broken layers </h3> <p>Even after fixing the Dockerfile and the requirements file, Docker kept serving the old cached image. The fix was force-removing the image entirely and rebuilding with <code>--no-cache</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">docker</span><span class="w"> </span><span class="nx">rmi</span><span class="w"> </span><span class="nt">-f</span><span class="w"> </span><span class="nx">swift-deploy-1-node:latest</span><span class="w"> </span><span class="n">docker</span><span class="w"> </span><span class="nx">build</span><span class="w"> </span><span class="nt">--no-cache</span><span class="w"> </span><span class="nt">-t</span><span class="w"> </span><span class="nx">swift-deploy-1-node:latest</span><span class="w"> </span><span class="o">.</span><span class="w"> </span></code></pre> </div> <h3> Port 3000 was already allocated </h3> <p>My Stage 2 project containers were still running in the background and had port 3000 allocated. Every attempt to test the app container on port 3000 failed with <code>Bind for 0.0.0.0:3000 failed: port is already allocated</code>. The fix was simply stopping the Stage 2 frontend container temporarily.</p> <h3> Nginx upstream validation broke pre-deployment </h3> <p>The validate command tests nginx syntax by spinning up a temporary nginx container. But before the stack is running, the <code>app</code> hostname doesn't exist on any Docker network, so nginx reports <code>host not found in upstream</code>. This looks like a failure but is completely expected — the config is syntactically correct, the hostname just doesn't resolve yet.</p> <p>The fix was updating the validate logic to treat this specific error as a pass, not a failure. Any other nginx error would still cause validation to fail.</p> <h2> The Moment It Worked </h2> <p>After all of that, here is what the final deploy output looked like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">▶ swiftdeploy deploy ✔ nginx.conf generated ✔ docker-compose.yml generated ✔ manifest.yaml exists and is valid YAML ✔ All required manifest fields present and non-empty ✔ Docker image exists locally: swift-deploy-1-node:latest ✔ Nginx port 8080 is free ✔ nginx.conf is syntactically valid ✔ All checks passed — stack is ready to deploy ➜ Bringing up the stack… ✔ Container swiftdeploy-app-1 Healthy ✔ Container swiftdeploy-nginx-1 Started ✔ Stack is healthy → http://localhost:8080 </span></code></pre> </div> <p>And hitting <code>http://localhost:8080</code> in the browser returned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Welcome to SwiftDeploy API — running in stable mode"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-02T17:44:59.804140+00:00"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then promoting to canary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">▶ swiftdeploy promote canary ✔ manifest.yaml updated → mode: canary ✔ docker-compose.yml regenerated ➜ Restarting app container… ✔ Service healthy after promote → http://localhost:8080/healthz ➜ Active mode confirmed: canary </span></code></pre> </div> <p>That moment — seeing <code>Active mode confirmed: canary</code> in the terminal — felt genuinely satisfying after everything it took to get there.</p> <h2> What I Learned </h2> <p><strong>Declarative infrastructure is powerful but unforgiving.</strong> When the manifest is the single source of truth, every typo and every wrong path has consequences. But when it works, the elegance is undeniable — one file describes everything.</p> <p><strong>Always verify your file saves.</strong> On Windows especially, VSCode unsaved changes are easy to miss. When something isn't working despite your edits, verify the file content from the terminal before assuming the code is wrong.</p> <p><strong>Docker caching is a double-edged sword.</strong> It speeds up builds dramatically, but when you're debugging image content, it can hide your fixes behind stale layers. <code>--no-cache</code> should be your first instinct when something is inexplicably wrong.</p> <p><strong>Empty files fail silently.</strong> An empty <code>requirements.txt</code> is not an error — it's a valid file with no dependencies. Always verify what's actually inside your files, not just that they exist.</p> <p><strong>Pre-flight validation saves deployments.</strong> The five checks in the validate command caught real problems before they reached production. The nginx upstream check in particular required nuanced handling — not every nginx error is a real error.</p> <h2> Final Thoughts </h2> <p>SwiftDeploy is not a perfect tool. But it works. It deploys a full stack from a single manifest, handles canary deployments with a single command, and validates itself before touching anything.</p> <p>More importantly, every challenge I hit while building it taught me something real about how infrastructure tools work — and why the details matter so much.</p> <p>If you're working through HNG14 or any similar programme, my advice is simple: document your failures as carefully as your successes. The graders can tell the difference between someone who got fortunate and someone who actually understands what they built.</p> <p>Good fortune for you out there. 🚀</p> <p>Here's the repo incase it interest you to clone and replicate<br> Github:<a href="https://github.com/ntonous/hng14-stage4-taask.git" rel="noopener noreferrer">https://github.com/ntonous/hng14-stage4-taask.git</a></p> <p><em>Built with Python, FastAPI, Nginx, Docker,Jinja2 and a lot of patience.</em><br> <em>HNG14 Stage 4A — DevOps Track</em></p> python fastapi nginx docker How I Built a Real-Time DDoS Detection Engine from Scratch Hezekiah Umoh Tue, 05 May 2026 20:25:39 +0000 https://dev.to/hezekiah_umoh/how-i-built-a-real-time-ddos-detection-engine-from-scratch-11ei https://dev.to/hezekiah_umoh/how-i-built-a-real-time-ddos-detection-engine-from-scratch-11ei <h1> How I Built a Real-Time DDoS Detection Engine from Scratch (No Fail2Ban, No Libraries) </h1> <p><em>A beginner-friendly walkthrough of how I built a system that watches live web traffic, learns what "normal" looks like, and automatically blocks attackers — all from scratch using Python.</em></p> <h2> Why This Project Exists </h2> <p>Imagine you run a cloud storage platform. Thousands of users upload and download files every day. Then one morning, a single IP address starts sending <strong>500 requests per second</strong> to your server — way more than any normal user would ever send.</p> <p>Your server starts slowing down. Real users can't log in. Files won't upload. Your platform is under attack.</p> <p>This is called a <strong>DDoS attack</strong> — Distributed Denial of Service. The goal is simple: flood your server with so much traffic that it can't serve real users anymore.</p> <p>My job in this project was to build a tool that:</p> <ol> <li>Watches all incoming traffic in real time</li> <li>Learns what normal traffic looks like</li> <li>Detects when something is wrong</li> <li>Automatically blocks the attacker</li> <li>Sends a Slack alert so the team knows what happened</li> </ol> <p>And I had to do it <strong>without</strong> using Fail2Ban or any rate-limiting library. Everything had to be built from scratch.</p> <p>Let's walk through how it works — step by step.</p> <h2> The Big Picture </h2> <p>Before diving into code, here's what the system looks like at a high level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet Traffic ↓ Nginx (reverse proxy) ↓ writes JSON logs /var/log/nginx/hng-access.log ↓ tailed continuously monitor.py (sliding windows) ↓ feeds counts baseline.py (learns normal) ↓ compares detector.py (flags anomalies) ↓ if anomaly found blocker.py → iptables DROP rule notifier.py → Slack alert audit.py → audit log ↓ always running dashboard.py → live web UI </code></pre> </div> <p>Every component runs as a <strong>daemon</strong> — a background process that never stops. It's not a cron job that runs once a minute. It's always watching, always learning.</p> <h2> Part 1: Watching the Logs (monitor.py) </h2> <h3> What is Nginx doing? </h3> <p>Nginx is a web server that sits in front of our Nextcloud application. Every time someone makes a request — loading a page, uploading a file, logging in — Nginx writes a line to an <strong>access log</strong>.</p> <p>I configured Nginx to write logs in JSON format so they're easy to parse:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"45.33.10.5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2024-01-15T12:34:56+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/index.php"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">4521</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>One line per request. Millions of lines per day on a busy server.</p> <h3> How do we read the log in real time? </h3> <p>You know how <code>tail -f</code> in Linux shows you new lines as they appear in a file? That's exactly what <code>monitor.py</code> does — but in Python.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">log_path</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">log_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">fh</span><span class="p">:</span> <span class="n">fh</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># jump to end of file — skip old history </span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">fh</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span><span class="p">:</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="n">parsed</span><span class="p">:</span> <span class="k">yield</span> <span class="n">parsed</span> <span class="c1"># send to main loop </span> <span class="k">else</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.05</span><span class="p">)</span> <span class="c1"># no new data, wait a moment </span></code></pre> </div> <p>The key line is <code>fh.seek(0, 2)</code> — this moves our reading position to the <strong>end</strong> of the file when we start. We don't want to process yesterday's logs, just new traffic from this moment forward.</p> <p>Then we loop forever: read a line, parse it, yield the result. The <code>yield</code> makes this a <strong>generator</strong> — it produces one request at a time for the main detection loop to process.</p> <h3> The Sliding Window — tracking who's doing what </h3> <p>Now here's where it gets interesting. For every request that comes in, we need to answer: "How many requests has this IP sent in the last 60 seconds?"</p> <p>The naive approach would be to count all requests and reset every minute. But that has a problem — what if someone sends 100 requests at 11:59 and 100 more at 12:00? A per-minute counter would show 100 for each minute, missing the burst.</p> <p>The right approach is a <strong>sliding window</strong> using a <code>deque</code> (double-ended queue).</p> <p>Think of a deque like a conveyor belt. New requests go on the right. Old requests fall off the left. The length of the belt is always exactly 60 seconds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span><span class="p">,</span> <span class="n">defaultdict</span> <span class="n">WINDOW</span> <span class="o">=</span> <span class="mi">60</span> <span class="c1"># seconds </span> <span class="n">global_window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># all requests </span><span class="n">ip_windows</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="n">deque</span><span class="p">)</span> <span class="c1"># per-IP requests </span> <span class="k">def</span> <span class="nf">add_request</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">status</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="c1"># Add this request to the right of both deques </span> <span class="n">global_window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">ip_windows</span><span class="p">[</span><span class="n">ip</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># Evict entries older than 60 seconds from the left </span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">WINDOW</span> <span class="k">while</span> <span class="n">global_window</span> <span class="ow">and</span> <span class="n">global_window</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">global_window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="k">for</span> <span class="n">dq</span> <span class="ow">in</span> <span class="n">ip_windows</span><span class="p">.</span><span class="nf">values</span><span class="p">():</span> <span class="k">while</span> <span class="n">dq</span> <span class="ow">and</span> <span class="n">dq</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">dq</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> </code></pre> </div> <p>Every entry in the deque is just a <strong>timestamp</strong>. So to get the current rate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ip_windows</span><span class="p">[</span><span class="sh">"</span><span class="s">45.33.10.5</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># requests from this IP in last 60s </span><span class="n">global_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">global_window</span><span class="p">)</span> <span class="c1"># all requests in last 60s </span></code></pre> </div> <p>No division needed. No rounding errors. Just count how many timestamps are still in the window.</p> <h2> Part 2: Learning What "Normal" Looks Like (baseline.py) </h2> <p>Here's a critical insight: <strong>you can't hardcode what "too many requests" means</strong>.</p> <p>At 3am, getting 5 requests per second might be unusual. At noon, getting 50 requests per second might be perfectly normal. If you hardcode a threshold of "more than 20 req/s = attack", you'll get false alarms all morning and miss attacks at night.</p> <p>The solution is a <strong>rolling baseline</strong> — the system learns what normal looks like by watching recent traffic.</p> <h3> How the baseline is calculated </h3> <p>Every second, we record how many requests came in that second:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">history</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># stores (timestamp, count, error_count) </span> <span class="k">def</span> <span class="nf">record_request</span><span class="p">(</span><span class="n">is_error</span><span class="o">=</span><span class="bp">False</span><span class="p">):</span> <span class="c1"># Increment current-second counter </span> <span class="n">_current_count</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">is_error</span><span class="p">:</span> <span class="n">_current_errors</span> <span class="o">+=</span> <span class="mi">1</span> </code></pre> </div> <p>Every second, we flush the current count into our history:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_flush</span><span class="p">():</span> <span class="n">now</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="n">history</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">now</span><span class="p">,</span> <span class="n">current_count</span><span class="p">,</span> <span class="n">current_errors</span><span class="p">))</span> <span class="c1"># Remove data older than 30 minutes </span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="mi">1800</span> <span class="k">while</span> <span class="n">history</span> <span class="ow">and</span> <span class="n">history</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">history</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> </code></pre> </div> <p>Every 60 seconds, we recalculate the baseline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_compute</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="p">[</span><span class="n">entry</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">history</span><span class="p">]</span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span><span class="o">**</span><span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">data</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">std</span> <span class="o">=</span> <span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">)</span> <span class="c1"># never go below floor value </span> <span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">std</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">std</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">)</span> <span class="c1"># never go below floor value </span></code></pre> </div> <h3> The per-hour slot trick </h3> <p>Traffic patterns change throughout the day. Morning rush hour is different from midnight. So instead of one global rolling average, we keep <strong>per-hour slots</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hourly</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">list</span><span class="p">)</span> <span class="c1"># { hour_of_day -&gt; [counts] } </span> <span class="c1"># When adding a sample: </span><span class="n">hour</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">localtime</span><span class="p">().</span><span class="n">tm_hour</span> <span class="n">hourly</span><span class="p">[</span><span class="n">hour</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">count</span><span class="p">)</span> </code></pre> </div> <p>When computing the baseline, we prefer the current hour's data if it has enough samples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">current_hour</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">localtime</span><span class="p">().</span><span class="n">tm_hour</span> <span class="n">hour_data</span> <span class="o">=</span> <span class="n">hourly</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">current_hour</span><span class="p">,</span> <span class="p">[])</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">hour_data</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">10</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">hour_data</span> <span class="c1"># use today's 2pm data to judge 2pm traffic </span><span class="k">else</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">full_30min_window</span> <span class="c1"># not enough hour data yet, use rolling window </span></code></pre> </div> <p>This means at 2pm, the baseline reflects what 2pm traffic normally looks like — not 3am traffic from 6 hours ago.</p> <h2> Part 3: Detecting Attacks (detector.py) </h2> <p>Now we have two numbers:</p> <ul> <li> <code>current_rate</code> — how many requests this IP sent in the last 60 seconds</li> <li> <code>baseline_mean</code> and <code>baseline_std</code> — what normal looks like</li> </ul> <p>The question is: how different does the current rate need to be before we call it an attack?</p> <h3> Z-score: the statistical approach </h3> <p>A <strong>z-score</strong> tells you how many standard deviations away from the mean a value is. The formula is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">z</span> <span class="o">=</span> <span class="p">(</span><span class="n">current_value</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">standard_deviation</span> </code></pre> </div> <p>For example:</p> <ul> <li>Mean = 10 req/s, Std = 2 req/s</li> <li>Current rate = 16 req/s</li> <li>Z-score = (16 - 10) / 2 = <strong>3.0</strong> </li> </ul> <p>A z-score of 3.0 means the value is 3 standard deviations above normal. In statistics, this happens by chance less than 0.3% of the time. That's suspicious.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">detect_ip</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">std</span><span class="p">,</span> <span class="n">ip_error_rate</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">baseline_error</span><span class="o">=</span><span class="mi">0</span><span class="p">):</span> <span class="n">z</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">std</span> <span class="c1"># Check z-score first </span> <span class="k">if</span> <span class="n">z</span> <span class="o">&gt;</span> <span class="mf">3.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">z-score=</span><span class="si">{</span><span class="n">z</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">&gt;3.0</span><span class="sh">"</span> <span class="c1"># Also check raw multiplier (catches slow z-score rises) </span> <span class="k">if</span> <span class="n">ip_rate</span> <span class="o">&gt;</span> <span class="n">mean</span> <span class="o">*</span> <span class="mf">5.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">ip_rate</span><span class="si">:</span><span class="p">.</span><span class="mi">1</span><span class="n">f</span><span class="si">}</span><span class="s">req/s &gt; 5x baseline</span><span class="sh">"</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="bp">None</span> </code></pre> </div> <p>We use <strong>two conditions</strong> because they catch different attack patterns:</p> <ul> <li>Z-score catches gradual increases relative to variance</li> <li>5x multiplier catches sudden spikes even when variance is low</li> </ul> <h3> Error surge tightening </h3> <p>Here's a clever trick: if an IP is generating lots of 404 errors or failed login attempts (4xx/5xx responses), it's probably a scanner or brute-force attack. We tighten the thresholds automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># If IP's error rate &gt; 3x the baseline error rate... </span><span class="n">error_surge</span> <span class="o">=</span> <span class="n">ip_error_rate</span> <span class="o">&gt;</span> <span class="mi">3</span> <span class="o">*</span> <span class="n">baseline_error_rate</span> <span class="k">if</span> <span class="n">error_surge</span><span class="p">:</span> <span class="n">z_limit</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="c1"># tighter threshold (was 3.0) </span> <span class="n">mult</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># tighter multiplier (was 5.0) </span></code></pre> </div> <p>This means suspicious IPs get caught faster, even if their total request rate isn't extreme yet.</p> <h2> Part 4: Blocking the Attacker (blocker.py) </h2> <p>Once we detect an anomaly, we need to block the IP within <strong>10 seconds</strong>. We use <code>iptables</code> — Linux's built-in firewall.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">block_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">condition</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">baseline_mean</span><span class="p">):</span> <span class="c1"># Add a DROP rule at the top of the INPUT chain </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="c1"># source IP </span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span> <span class="c1"># drop all packets from this IP </span> <span class="p">])</span> </code></pre> </div> <p>The <code>-I INPUT 1</code> means "insert at position 1" — the very top of the firewall rules. This ensures the block takes effect immediately for all subsequent packets.</p> <h3> The backoff schedule </h3> <p>We don't permanently ban IPs on the first offense — they might be a misconfigured bot, not a malicious attacker. Instead, we use a <strong>backoff schedule</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offense</th> <th>Ban Duration</th> </tr> </thead> <tbody> <tr> <td>1st</td> <td>10 minutes</td> </tr> <tr> <td>2nd</td> <td>30 minutes</td> </tr> <tr> <td>3rd</td> <td>2 hours</td> </tr> <tr> <td>4th+</td> <td>Permanent</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">BAN_SCHEDULE</span> <span class="o">=</span> <span class="p">[</span><span class="mi">600</span><span class="p">,</span> <span class="mi">1800</span><span class="p">,</span> <span class="mi">7200</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># seconds (-1 = permanent) </span> <span class="k">def</span> <span class="nf">get_duration</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">offense_count</span> <span class="o">=</span> <span class="n">ban_count</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">idx</span> <span class="o">=</span> <span class="nf">min</span><span class="p">(</span><span class="n">offense_count</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">BAN_SCHEDULE</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">BAN_SCHEDULE</span><span class="p">[</span><span class="n">idx</span><span class="p">]</span> <span class="n">ban_count</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="n">offense_count</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">return</span> <span class="n">duration</span> </code></pre> </div> <p>When a ban expires, <code>unblock_expired()</code> removes the iptables rule automatically.</p> <h2> Part 5: Slack Alerts (notifier.py) </h2> <p>The team needs to know when something happens. We send structured Slack messages for every ban, unban, and global anomaly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="k">def</span> <span class="nf">send_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">condition</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">baseline_mean</span><span class="p">,</span> <span class="n">duration</span><span class="p">):</span> <span class="n">msg</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">:rotating_light: *IP BANNED*</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*IP:* `</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Condition:* </span><span class="si">{</span><span class="n">condition</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Rate:* </span><span class="si">{</span><span class="n">rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Baseline:* </span><span class="si">{</span><span class="n">baseline_mean</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Duration:* </span><span class="si">{</span><span class="n">duration</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Time:* </span><span class="si">{</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">WEBHOOK_URL</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">msg</span><span class="p">})</span> </code></pre> </div> <p>The webhook URL is stored as an <strong>environment variable</strong> — never hardcoded in source code. This is important for security: if you accidentally push your code to GitHub, your webhook won't be exposed.</p> <h2> Part 6: The Live Dashboard (dashboard.py) </h2> <p>The dashboard is a Flask web app that shows live metrics and refreshes every 3 seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">home</span><span class="p">():</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> &lt;html&gt; &lt;head&gt;&lt;meta http-equiv=</span><span class="sh">"</span><span class="s">refresh</span><span class="sh">"</span><span class="s"> content=</span><span class="sh">"</span><span class="s">3</span><span class="sh">"</span><span class="s">&gt;&lt;/head&gt; &lt;body&gt; &lt;h1&gt;Global Req/s: </span><span class="si">{</span><span class="nf">get_global_rate</span><span class="p">()</span><span class="si">}</span><span class="s">&lt;/h1&gt; &lt;h2&gt;Baseline Mean: </span><span class="si">{</span><span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">&lt;/h2&gt; &lt;h2&gt;Banned IPs: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="nf">get_blocked_list</span><span class="p">())</span><span class="si">}</span><span class="s">&lt;/h2&gt; &lt;!-- ... more stats ... --&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> </code></pre> </div> <p>The <code>&lt;meta http-equiv="refresh" content="3"&gt;</code> tag makes the browser automatically reload every 3 seconds — no JavaScript needed.</p> <h2> Part 7: Putting It All Together (main.py) </h2> <p>The main loop ties everything together. It's beautifully simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Start background threads </span><span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">baseline</span><span class="p">.</span><span class="n">loop</span><span class="p">,</span> <span class="n">daemon</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">start</span><span class="p">()</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">dashboard</span><span class="p">.</span><span class="n">run</span><span class="p">,</span> <span class="n">daemon</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">start</span><span class="p">()</span> <span class="c1"># Main detection loop </span><span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">status</span> <span class="ow">in</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">log_file</span><span class="p">):</span> <span class="c1"># 1. Add to sliding windows </span> <span class="nf">add_request</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">record_request</span><span class="p">(</span><span class="n">is_error</span><span class="o">=</span><span class="p">(</span><span class="n">status</span> <span class="o">&gt;=</span> <span class="mi">400</span><span class="p">))</span> <span class="c1"># 2. Unban expired IPs </span> <span class="n">blocker</span><span class="p">.</span><span class="nf">unblock_expired</span><span class="p">()</span> <span class="c1"># 3. Get current stats </span> <span class="n">mean</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">.</span><span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">]</span> <span class="n">std</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">.</span><span class="n">baseline</span><span class="p">[</span><span class="sh">"</span><span class="s">std</span><span class="sh">"</span><span class="p">]</span> <span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">get_ip_rate</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="c1"># 4. Check for IP anomaly </span> <span class="n">anomaly</span><span class="p">,</span> <span class="n">reason</span> <span class="o">=</span> <span class="n">detector</span><span class="p">.</span><span class="nf">detect_ip</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">std</span><span class="p">)</span> <span class="k">if</span> <span class="n">anomaly</span><span class="p">:</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">block_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">)</span> <span class="c1"># 5. Check for global anomaly </span> <span class="n">global_rate</span> <span class="o">=</span> <span class="nf">get_global_rate</span><span class="p">()</span> <span class="n">g_anomaly</span><span class="p">,</span> <span class="n">g_reason</span> <span class="o">=</span> <span class="n">detector</span><span class="p">.</span><span class="nf">detect_global</span><span class="p">(</span><span class="n">global_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">std</span><span class="p">)</span> <span class="k">if</span> <span class="n">g_anomaly</span><span class="p">:</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_global_alert</span><span class="p">(</span><span class="n">g_reason</span><span class="p">,</span> <span class="n">global_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">)</span> </code></pre> </div> <p>That's it. For every single HTTP request that hits the server, this code runs in milliseconds — checking whether it's part of an attack.</p> <h2> Deploying with Docker </h2> <p>The entire stack runs in Docker containers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">nextcloud</span><span class="pi">:</span> <span class="c1"># the actual app (pre-built image, not modified)</span> <span class="na">nginx</span><span class="pi">:</span> <span class="c1"># reverse proxy + JSON logging</span> <span class="na">detector</span><span class="pi">:</span> <span class="c1"># our Python daemon</span> </code></pre> </div> <p>The Nginx logs are shared via a <strong>named Docker volume</strong> called <code>HNG-nginx-logs</code>. Nginx writes to it, and our detector reads from it — even though they're in separate containers.</p> <p>The detector runs with <code>network_mode: host</code> and <code>privileged: true</code> so that iptables commands affect the actual host machine's firewall, not just the container's network namespace.</p> <h2> Lessons Learned </h2> <p><strong>1. Never hardcode thresholds.</strong> What's "too many requests" depends entirely on your traffic patterns. Build a system that learns.</p> <p><strong>2. Deques are perfect for sliding windows.</strong> Python's <code>collections.deque</code> with a maxlen or manual eviction is exactly the right data structure for time-based windows.</p> <p><strong>3. Two detection methods are better than one.</strong> Z-score catches gradual increases. Rate multiplier catches sudden spikes. Together they cover more attack patterns.</p> <p><strong>4. Store secrets in environment variables.</strong> Never commit API keys, webhook URLs, or passwords to git. Use <code>.env</code> files that are gitignored.</p> <p><strong>5. Daemons beat cron jobs.</strong> A continuously running daemon reacts in milliseconds. A cron job that runs every minute can miss a 30-second attack entirely.</p> <h2> The Result </h2> <p>After all this work, here's what the live dashboard looks like:</p> <ul> <li>Global Req/s updating in real time</li> <li>Baseline Mean and Std Dev learned from actual traffic</li> <li>Active bans with conditions and durations</li> <li>Top 10 source IPs</li> <li>Audit log showing every ban, unban, and baseline recalculation</li> </ul> <p>When an attack comes in, the sequence is:</p> <ol> <li>Request arrives → sliding window updated</li> <li>Z-score computed → exceeds 3.0</li> <li>iptables rule added within 10 seconds</li> <li>Slack alert sent to team</li> <li>Audit log entry written</li> <li>Dashboard updates to show new ban</li> </ol> <p>All of this happens automatically, 24/7, without any human intervention.</p> <h2> Resources </h2> <ul> <li><a href="https://docs.python.org/3/library/collections.html#collections.deque" rel="noopener noreferrer">Python deque documentation</a></li> <li><a href="https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html" rel="noopener noreferrer">iptables beginner guide</a></li> <li><a href="https://www.statisticshowto.com/probability-and-statistics/z-score/" rel="noopener noreferrer">Z-score explained simply</a></li> <li><a href="https://flask.palletsprojects.com/en/3.0.x/quickstart/" rel="noopener noreferrer">Flask quickstart</a></li> <li><a href="https://docs.docker.com/compose/" rel="noopener noreferrer">Docker Compose documentation</a></li> </ul> <p><em>Built for HNG Internship Stage 3 — DevOps Track</em><br> <em><a href="https://github.com/ntonous/hng14-stage3-ddos-detector.git" rel="noopener noreferrer">https://github.com/ntonous/hng14-stage3-ddos-detector.git</a></em></p> devops python security docker