How to do it: DDoS

This page shows the rendered idea and the server-side code that helps handle or reduce traffic floods in Python and other languages.

Code first Python / Node / PHP Defense focused
Back to demo
Safe teaching mode: this page shows defensive code for handling heavy traffic. It does not include offensive flood tooling.

Card 1 — normal traffic to a Python service

Show a normal endpoint first, then explain why the service needs protection when traffic spikes.

Rendered + Code
python service preview
Flask API
A few normal users reach the server without any issue.

Basic Python endpoint

Teach the starting point before adding throttling.

from flask import Flask, jsonify

app = Flask(__name__)

@app.get("/status")
def status():
    return jsonify({"ok": True})

Card 2 — Python rate limiting

This is the code that starts pushing back when requests become excessive.

Rendered + Code
rate limiting preview
Traffic spike
Too many requests hit the same route at once.
limit reached

Python example with throttling

This is the kind of code you teach in Python.

from flask import Flask, jsonify
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)
limiter = Limiter(get_remote_address, app=app, default_limits=["60 per minute"])

@app.get("/status")
@limiter.limit("10 per second")
def status():
    return jsonify({"ok": True})

Card 3 — Node.js and PHP examples

Show that the same defense idea exists in other common server stacks too.

Rendered + Code
other languages preview
Same idea, different stack
Node.js and PHP can also count requests and slow down abuse.
middleware / session checks
Stacks
Node.js
PHP
Reverse proxy

Node.js and PHP throttling examples

Use these when teaching “other languages”.

// Node.js / Express
const rateLimit = require("express-rate-limit");
app.use(rateLimit({ windowMs: 60_000, max: 120 }));

// PHP simple limiter idea
session_start();
$_SESSION['hits'] = ($_SESSION['hits'] ?? 0) + 1;
if ($_SESSION['hits'] > 100) {
    http_response_code(429);
    exit('Too Many Requests');
}

Card 4 — edge protection and recovery

The strongest ending is usually outside the app too: proxies, caching, filtering, and load balancing.

Rendered + Code
edge defense preview
Filtered at the edge
The reverse proxy drops or slows suspicious traffic before it reaches the app.
upstream protection

Nginx / reverse proxy example

End the lesson with a practical infrastructure rule.

# Nginx rate limiting
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=20r/s;

server {
  location /api/ {
    limit_req zone=api_limit burst=40 nodelay;
    proxy_pass http://backend;
  }
}