👋 Introduction
As a beginner stepping into DevOps and cybersecurity, I wanted to build something practical and impactful — not just theory.
So I built a real-time DDoS detection and mitigation system that:
Monitors live traffic from Nginx logs
Detects suspicious spikes using statistics
Automatically blocks attacking IPs
Sends alerts to Slack
Displays everything on a live dashboard
In this post, I’ll walk you through exactly how it works — in a simple, beginner-friendly way.
🧠 What Problem Am I Solving?
A DDoS (Distributed Denial of Service) attack happens when a server gets flooded with too many requests.
This can:
Slow down your app
Crash your server
Make your service unavailable
👉 My solution:
Build a system that can detect abnormal traffic and stop it automatically
🏗️ Project Architecture
Here’s what I used:
Nginx → Handles incoming traffic
Nextcloud → Sample app (target)
Python daemon → Detects attacks
Docker Compose → Runs everything
Slack Webhook → Sends alerts
Dashboard UI → Shows live metrics
🔍 Step 1: Monitoring Nginx Logs
Nginx logs every request like this:
127.0.0.1 - - [timestamp] "GET /index.html" 200
My system:
Reads logs in real-time
Extracts:
IP address
Timestamp
Status code
⏱️ Step 2: Sliding Window (Core Idea)
To detect attacks, I track requests over time using a sliding window.
Think of it like:
“How many requests happened in the last 60 seconds?”
I used Python’s deque to:
Add new requests
Remove old ones automatically
📊 Step 3: Building a Baseline
Instead of guessing what’s “too much traffic”, I calculate a baseline:
Track requests per second over 30 minutes
Compute:
Mean (average traffic)
Standard deviation
This helps answer:
“What does normal traffic look like?”
🚨 Step 4: Detecting Anomalies
I detect attacks using two methods:
- Z-score
If traffic is far above normal:
z-score > 3
- Spike detection
If traffic is:
5x the average
👉 If either condition is true → it’s an attack
🔥 Step 5: Blocking Attackers
When an IP is suspicious:
I block it using iptables
Example:
iptables -A INPUT -s -j DROP
🔄 Step 6: Auto-Unban System
Not every spike is an attack forever.
So I implemented a backoff unban system:
10 minutes
30 minutes
2 hours
Permanent (if repeated)
🔔 Step 7: Slack Alerts
I used Slack webhooks to send alerts like:
🚨 Global traffic spike
🚨 IP blocked
✅ IP unbanned
📊 Step 8: Live Dashboard
I built a simple dashboard that shows:
Global requests per second
Top 10 IPs
Banned IPs
CPU & memory usage
Baseline stats
It refreshes every 3 seconds.
🐳 Step 9: Dockerizing Everything
I used Docker Compose to run:
Nginx
Nextcloud
Detector service
This made setup easy and reproducible.
⚠️ Challenges I Faced
- Secrets in GitHub
GitHub blocked my push because of a Slack webhook.
👉 Fix:
Moved webhook to environment variables
- Container Not Starting
My app kept crashing because config.yaml was missing.
👉 Fix:
Added it to Docker image
- No Slack Alerts
The container couldn’t access environment variables.
👉 Fix:
Passed variables via docker-compose.yml
🎯 What I Learned
How real-time log monitoring works
How to detect anomalies using statistics
How to automate security responses
How to use Docker in real projects
Why never to commit secrets
🚀 Final Thoughts
This project helped me move from:
“Just learning DevOps” → “Building real-world systems”
If you’re a beginner, I highly recommend building something like this.
Dashboard URL http://52.203.164.199:5000/
Github Repo https://github.com/George-Adaba/anomaly-detection-ddos.git




















