๐ Introduction
As a beginner stepping into DevOps and cybersecurity, I wanted to build something practical and impactful โ not just theory.
So I built a real-time DDoS detection and mitigation system that:
Monitors live traffic from Nginx logs
Detects suspicious spikes using statistics
Automatically blocks attacking IPs
Sends alerts to Slack
Displays everything on a live dashboard
In this post, Iโll walk you through exactly how it works โ in a simple, beginner-friendly way.
๐ง What Problem Am I Solving?
A DDoS (Distributed Denial of Service) attack happens when a server gets flooded with too many requests.
This can:
Slow down your app
Crash your server
Make your service unavailable
๐ My solution:
Build a system that can detect abnormal traffic and stop it automatically
๐๏ธ Project Architecture
Hereโs what I used:
Nginx โ Handles incoming traffic
Nextcloud โ Sample app (target)
Python daemon โ Detects attacks
Docker Compose โ Runs everything
Slack Webhook โ Sends alerts
Dashboard UI โ Shows live metrics
๐ Step 1: Monitoring Nginx Logs
Nginx logs every request like this:
127.0.0.1 - - [timestamp] "GET /index.html" 200
My system:
Reads logs in real-time
Extracts:
IP address
Timestamp
Status code
โฑ๏ธ Step 2: Sliding Window (Core Idea)
To detect attacks, I track requests over time using a sliding window.
Think of it like:
โHow many requests happened in the last 60 seconds?โ
I used Pythonโs deque to:
Add new requests
Remove old ones automatically
๐ Step 3: Building a Baseline
Instead of guessing whatโs โtoo much trafficโ, I calculate a baseline:
Track requests per second over 30 minutes
Compute:
Mean (average traffic)
Standard deviation
This helps answer:
โWhat does normal traffic look like?โ
๐จ Step 4: Detecting Anomalies
I detect attacks using two methods:
- Z-score
If traffic is far above normal:
z-score > 3
- Spike detection
If traffic is:
5x the average
๐ If either condition is true โ itโs an attack
๐ฅ Step 5: Blocking Attackers
When an IP is suspicious:
I block it using iptables
Example:
iptables -A INPUT -s -j DROP
๐ Step 6: Auto-Unban System
Not every spike is an attack forever.
So I implemented a backoff unban system:
10 minutes
30 minutes
2 hours
Permanent (if repeated)
๐ Step 7: Slack Alerts
I used Slack webhooks to send alerts like:
๐จ Global traffic spike
๐จ IP blocked
โ
IP unbanned
๐ Step 8: Live Dashboard
I built a simple dashboard that shows:
Global requests per second
Top 10 IPs
Banned IPs
CPU & memory usage
Baseline stats
It refreshes every 3 seconds.
๐ณ Step 9: Dockerizing Everything
I used Docker Compose to run:
Nginx
Nextcloud
Detector service
This made setup easy and reproducible.
โ ๏ธ Challenges I Faced
- Secrets in GitHub
GitHub blocked my push because of a Slack webhook.
๐ Fix:
Moved webhook to environment variables
- Container Not Starting
My app kept crashing because config.yaml was missing.
๐ Fix:
Added it to Docker image
- No Slack Alerts
The container couldnโt access environment variables.
๐ Fix:
Passed variables via docker-compose.yml
๐ฏ What I Learned
How real-time log monitoring works
How to detect anomalies using statistics
How to automate security responses
How to use Docker in real projects
Why never to commit secrets
๐ Final Thoughts
This project helped me move from:
โJust learning DevOpsโ โ โBuilding real-world systemsโ
If youโre a beginner, I highly recommend building something like this.
Dashboard URL http://52.203.164.199:5000/
Github Repo https://github.com/George-Adaba/anomaly-detection-ddos.git
Top comments (0)