Have you ever wondered how websites defend themselves when thousands of computers suddenly try to crash them at once? This is called a DDoS (Distributed Denial of Service) attack. It is the digital equivalent of a massive crowd blocking the entrance to a physical store so that regular customers cannot get in.
For a recent DevSecOps project at HNG, I built a smart security tool from scratch to detect and stop these attacks automatically!
Let me break down how it works in plain English. No heavy security experience is required!
🧐 What This Project Does and Why It Matters
Normally, a website server is "passive." It just handles whatever traffic comes its way. If an attacker floods it with requests, the server gets overwhelmed and crashes.
My project is a Daemon (a background program) that acts like a smart security guard standing next to the server. It constantly reads the server's visitor logs in real-time, calculates what "normal" traffic looks like, and automatically locks out anyone acting suspiciously.
It matters because small businesses and independent creators often cannot afford expensive security tools like Cloudflare. This project proves you can build a lightweight, intelligent defense system using free, open-source tools.
⏱️ Concept 1: The "Sliding Window" (How it watches traffic)
To know if someone is attacking, we cannot just look at total numbers. We need to know how fast they are moving. We do this using a Sliding Window.
Imagine holding a physical window frame that is exactly 60 centimetres wide over a long timeline of events. As time moves forward, you slide the frame. You only ever see the events inside that 60-second frame.
💻 How I coded it:
I used a Python structure called a deque (double-ended queue).
When a visitor makes a request, we add the current time to the right side of our list.We then look at the left side (the oldest events).
If a timestamp is older than 60 seconds ago, we kick it out!
📊 Concept 2: The Baseline (How it learns "Normal")
How do we know if 5 requests per second is an attack or just a busy day? We have to teach the computer to learn!
My tool looks at the traffic over a rolling 30-minute window. Every 60 seconds, a background math thread wakes up and calculates the Average (Mean) traffic speed.
If the server usually gets 0.2 requests per second on a quiet Tuesday, the tool remembers that as the "Baseline."
If a sudden spike happens, the tool compares the spike to this learned baseline to see if it is out of the ordinary.
Because it recalculates every minute, the security guard adapts. If your website legitimately gets more popular over time, the guard will not accidentally ban your new fans!
🧠 Concept 3: The Detection Brain (Making the decision)
Once the tool knows the current speed and the normal baseline, how does it decide to pull the alarm? It uses a bit of statistics called a Z-score.
Think of a Z-score as a measure of "weirdness."
A Z-score of 0 means the traffic is perfectly normal.
A Z-score of 1 or 2 means it is a bit busy, but acceptable.
A Z-score of 3 or higher means this behavior is a statistical freak event!
If a single visitor's Z-score crosses (3.0), or if they are moving (5\times) faster than the baseline average, the brain makes a split-second decision: BAN THEM.
🧱 Concept 4: The Shield (iptables)
Deciding to ban someone is useless if you cannot actually stop them. This is where iptables comes in.
iptables is the native firewall built directly into the Linux operating system. It sits at the absolute front door of the server.
When my Python script decides an IP address is malicious, it does not try to ignore the requests. It sends a command to the Linux kernel saying:
"Hey iptables, see this IP address? Add it to the DROP list."
The moment that rule is applied, the Linux kernel instantly deletes any digital packets coming from that attacker. The attacker gets a "Connection Timed Out" error, and your website stays fast and safe for everyone else!
🏆 Wrapping Up
Building this was a fantastic journey into combining software development with system security. In just a few hundred lines of Python running inside Docker, we created a system that:
- Watches live logs.
- Learns normal traffic patterns.
- Automatically triggers a firewall to block bad actors.
- Messages me on Slack to let me know it handled the threat. Check out the full open-source code and setup instructions on my GitHub repository here: https://github.com/KellsCodes/HNG14stage3
If you found this breakdown helpful, drop a reaction or leave a comment below! I would love to hear how you handle server security. 🚀
Top comments (0)