Introduction Imagine you run a cloud storage platform. Thousands of users upload files, share documents, and collaborate every day. Then one morning, a single IP address sends 500 requests in 60 seconds. Your server slows to a crawl. Users can't log in. Files won't upload. You're under attack. This is a DDoS attack β Distributed Denial of Service. The goal is simple: flood your server with so many requests that it can't serve real users anymore. In this post, I'll walk you through how I built an anomaly detection engine that watches all incoming HTTP traffic in real time, learns what normal looks like, and automatically blocks attackers β all without any third-party security libraries.β¦
