Have you ever wondered how a website "knows" it's being attacked and automatically pulls the plug on the attacker? I recently built an anomaly detection engine from scratch. It’s a live system that watches incoming traffic, learns what "normal" looks like, and automatically blocks suspicious IPs using Linux firewall rules. In this post, I’ll walk you through how it works in plain English. No prior security experience required. Lets get into it.... 🛠 What the Project Does (and Why It Matters) Imagine a popular restaurant. Usually, customers walk in, order, and eat. But what if 500 people suddenly rushed in at once, stood at the counter, and ordered nothing? The staff would be so overwhelmed they couldn't serve real customers. That is a DDoS (Distributed Denial of Service) attack. The challenge is that you can't just say "block anyone who sends more than 100 requests." A busy server might normally get 200, while a quiet one gets 5. A hardcoded limit would either block real fans or miss real attackers.…