DEV Community: Hendy The latest articles on DEV Community by Hendy (@iamhendy). https://dev.to/iamhendy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903121%2Fb4f17c85-65c0-4a69-abe3-eef6977df555.png DEV Community: Hendy https://dev.to/iamhendy en How I Built a Real-Time DDoS Detection Engine for Nextcloud from Scratch Hendy Tue, 28 Apr 2026 20:34:40 +0000 https://dev.to/iamhendy/how-i-built-a-real-time-ddos-detection-engine-for-nextcloud-from-scratch-17hl https://dev.to/iamhendy/how-i-built-a-real-time-ddos-detection-engine-for-nextcloud-from-scratch-17hl <h1> How I Built a Real-Time DDoS Detection Engine for Nextcloud from Scratch </h1> <h2> Introduction </h2> <p>Imagine you're running a cloud storage platform used by thousands of people around the world. One day, your boss walks in and says: <em>"We've been seeing suspicious traffic. Build something that detects and blocks attacks automatically."</em></p> <p>That's exactly the challenge I faced. In this post, I'll walk you through how I built a real-time anomaly detection engine that watches HTTP traffic, learns what normal looks like, and automatically blocks attackers — all without using any third-party rate-limiting libraries.</p> <p>By the end of this post, you'll understand:</p> <ul> <li>How sliding windows track request rates in real time</li> <li>How a baseline learns from your own traffic patterns</li> <li>How z-score math decides if something is an attack</li> <li>How iptables drops malicious IPs at the kernel level</li> </ul> <h2> What Does the Project Do? </h2> <p>The system sits alongside a Nextcloud instance and does five things continuously:</p> <ol> <li> <strong>Reads</strong> Nginx access logs in real time, line by line</li> <li> <strong>Tracks</strong> request rates using sliding windows (per IP and globally)</li> <li> <strong>Learns</strong> what normal traffic looks like using a rolling baseline</li> <li> <strong>Detects</strong> anomalies when traffic deviates significantly from normal</li> <li> <strong>Blocks</strong> suspicious IPs automatically using iptables</li> </ol> <p>Here's the overall architecture:<br> Internet → Nginx (JSON logs) → Nextcloud<br> ↓<br> Log Volume (shared)<br> ↓<br> Python Daemon<br> ├── Monitor (reads logs)<br> ├── Baseline (learns traffic)<br> ├── Detector (flags anomalies)<br> ├── Blocker (iptables rules)<br> ├── Unbanner (auto-release)<br> ├── Notifier (Slack alerts)</p> <h2> └── Dashboard (live metrics) </h2> <h2> How the Sliding Window Works </h2> <p>A sliding window is a way of asking: <em>"How many requests happened in the last 60 seconds?"</em></p> <p>The naive approach would be to count all requests every minute — but that gives you a stale snapshot, not a real-time view.</p> <p>Instead, I used Python's <code>collections.deque</code> — a double-ended queue. Here's the idea:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># One deque per IP </span><span class="n">ip_window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="k">def</span> <span class="nf">record_request</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="mi">60</span> <span class="c1"># 60-second window </span> <span class="c1"># Add current timestamp to the right </span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># Evict old timestamps from the left </span> <span class="k">while</span> <span class="n">ip_window</span> <span class="ow">and</span> <span class="n">ip_window</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># Current rate = requests in last 60 seconds </span> <span class="n">rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ip_window</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="k">return</span> <span class="n">rate</span> </code></pre> </div> <p>Every time a request comes in, its timestamp is appended to the right. Old timestamps (older than 60 seconds) are removed from the left using <code>popleft()</code>. The current rate is simply the length of the deque divided by 60.</p> <p>This gives us a perfectly accurate rolling count with O(1) insertions and evictions. No databases, no counters that reset at fixed intervals.</p> <p>I maintain two windows:</p> <ul> <li> <strong>Per-IP window:</strong> one deque per IP address</li> <li> <strong>Global window:</strong> one deque for all traffic combined</li> </ul> <h2> How the Baseline Learns from Traffic </h2> <p>The baseline answers the question: <em>"What does normal traffic look like on this server?"</em></p> <p>Instead of hardcoding a threshold like "flag anything above 10 req/s", I compute the mean and standard deviation from actual recent traffic.</p> <p>Here's how it works:</p> <p><strong>Rolling 30-minute window:</strong><br> Every second, I record how many requests arrived that second. I keep a rolling window of the last 30 minutes (1800 seconds) of these per-second counts.</p> <p><strong>Recalculation every 60 seconds:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">counts</span> <span class="o">=</span> <span class="p">[</span><span class="n">c</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">window</span><span class="p">]</span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">counts</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">counts</span><span class="p">)</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">c</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">counts</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">counts</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> </code></pre> </div> <p><strong>Per-hour slots:</strong><br> The baseline stores separate mean/stddev values per hour. This means if your server is busier at 9am than at 3am, the baseline adapts automatically.</p> <p><strong>Floor values:</strong><br> To avoid division by zero on idle servers, I set minimum values:</p> <ul> <li><code>floor_mean = 0.1 req/s</code></li> <li><code>floor_stddev = 0.1</code></li> </ul> <h2> How the Detection Logic Makes a Decision </h2> <p>Once I have the baseline mean and stddev, I use <strong>z-score</strong> to decide if a rate is anomalous.</p> <p>The z-score measures how many standard deviations a value is from the mean:<br> z = (current_rate - mean) / stddev<br> If <code>z &gt; 3.0</code>, that means the current rate is more than 3 standard deviations above normal — statistically very unlikely under normal conditions.</p> <p>I also add a rate multiplier check as a backup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_ip</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">):</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">baseline</span><span class="p">.</span><span class="nf">get_baseline</span><span class="p">()</span> <span class="n">rate</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">get_ip_rate</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="c1"># Z-score check </span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">zscore</span> <span class="o">=</span> <span class="p">(</span><span class="n">rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">if</span> <span class="n">zscore</span> <span class="o">&gt;</span> <span class="mf">3.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">zscore=</span><span class="si">{</span><span class="n">zscore</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># Rate multiplier check </span> <span class="k">if</span> <span class="n">rate</span> <span class="o">&gt;</span> <span class="mi">5</span> <span class="o">*</span> <span class="n">mean</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">rate=</span><span class="si">{</span><span class="n">rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> &gt; 5x mean</span><span class="sh">"</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="bp">None</span> </code></pre> </div> <p><strong>Error surge detection:</strong><br> If an IP's 4xx/5xx error rate is 3x higher than the baseline error rate, the thresholds are automatically tightened by 30%. This catches attackers who probe for vulnerabilities before launching a full attack.</p> <h2> How iptables Blocks an IP </h2> <p>When an IP is flagged as anomalous, blocking happens at the <strong>kernel level</strong> using iptables — before traffic even reaches Nginx or Nextcloud.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">ban</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">):</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">'</span><span class="s">iptables</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-I</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">INPUT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-s</span><span class="sh">'</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">'</span><span class="s">-j</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">DROP</span><span class="sh">'</span> <span class="p">])</span> </code></pre> </div> <p>The <code>-I INPUT</code> inserts the rule at the top of the INPUT chain. <code>-s</code> specifies the source IP. <code>-j DROP</code> silently drops all packets from that IP.</p> <p>This is extremely efficient — the kernel drops packets without any application-level processing.</p> <p><strong>Auto-unban with backoff schedule:</strong><br> Bans don't last forever. The unbanner releases IPs on a backoff schedule:</p> <ul> <li>1st ban: 10 minutes</li> <li>2nd ban: 30 minutes </li> <li>3rd ban: 2 hours</li> <li>4th ban+: permanent </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">unban_schedule</span> <span class="o">=</span> <span class="p">[</span><span class="mi">600</span><span class="p">,</span> <span class="mi">1800</span><span class="p">,</span> <span class="mi">7200</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># seconds, -1 = permanent </span></code></pre> </div> <h2> The Live Dashboard </h2> <p>The system serves a live dashboard at a public domain showing:</p> <ul> <li>Global request rate vs baseline</li> <li>Banned IPs and their ban counts</li> <li>Top 10 source IPs by request rate</li> <li>CPU and memory usage</li> <li>Uptime</li> </ul> <p>Built with Flask and auto-refreshes every 3 seconds.</p> <h2> Slack Alerts </h2> <p>Every ban, unban, and global anomaly sends a Slack notification with:</p> <ul> <li>The IP address</li> <li>The condition that fired (z-score or rate multiplier)</li> <li>Current rate vs baseline</li> <li>Ban duration</li> <li>Timestamp</li> </ul> <h2> What I Learned </h2> <p>Building this from scratch taught me:</p> <ol> <li> <strong>Deques are powerful</strong> — simple data structures can solve complex real-time problems elegantly</li> <li> <strong>Statistics beat hardcoded thresholds</strong> — a z-score adapts to your actual traffic patterns</li> <li> <strong>Kernel-level blocking is fast</strong> — iptables drops packets before your app even sees them</li> <li> <strong>Baselines need floors</strong> — always handle the idle server case</li> </ol> <h2> Source Code </h2> <p>The full source code is available on GitHub:<br> 👉 <a href="https://github.com/IamHendy/hng-anomaly-detector" rel="noopener noreferrer">https://github.com/IamHendy/hng-anomaly-detector</a></p> <p>The live dashboard is running at:<br> 👉 <a href="http://hendyogema.mooo.com" rel="noopener noreferrer">http://hendyogema.mooo.com</a></p> <p><em>Built as part of the HNG DevSecOps track — Stage 3 challenge.</em></p> cybersecurity networking security tutorial