My Journey in Cybersecurity: From Victim to Defender

When I was 11 years old, my Minecraft network was constantly under attack. Bots. Thousands of bots. Fake connections that saturated the server, crashed it, and left the few real players I had unable to play.

I didn’t know who was behind it. I didn’t know why they were doing it. And worst of all: I didn’t know how to stop them.

That frustration, that feeling of helplessness seeing your project destroyed by someone invisible, was what changed my life and led me into the world of cybersecurity.

The Problem: Constant Attacks

My network was recently opened. I had already learned the expensive lesson of spending $350 monthly on dedicated servers, so this time I started more humbly. But it didn’t matter how much I optimized the server or how many protection plugins I installed: the attacks kept coming.

DDoS. Although at that time I didn’t even know the term.

I saw in the server console:

[INFO] Player_Bot_123 has connected
[INFO] Player_Bot_456 has connected
[INFO] Player_Bot_789 has connected
[INFO] Player_Bot_1011 has connected
...
[ERROR] Server crashed due to high memory usage

Hundreds, sometimes thousands of connections per second. The server collapsed. Real players couldn’t enter. And I didn’t understand what was happening.

I tried everything:

• Antibot plugins (they didn’t work)
• Changing server IP (worked for 2 days, then attacks returned)
• Increasing server resources (only delayed the collapse)
• Whitelist (but then no new players could join)

Nothing worked. I was desperate.

The Turning Point: Ismael and NullCordX

One day, in Ajneb97’s Discord (a community of Minecraft server developers where I learned and shared), I mentioned my problem. I was frustrated, almost ready to give up on the network.

Then a message appeared from someone named Ismael.

“I see you’re having bot problems. I developed an antibot proxy called NullCordX. If you want, I can help you.”

At that moment I didn’t know it, but Ismael was the main developer of NullCordX, one of the most powerful antibot proxies for Minecraft networks. His tool was used by large networks moving thousands of real players.

And he offered to help me. Me, an 11-year-old kid with a 10-player network.

The help that changed everything

Ismael didn’t charge me anything. Not a dollar. He took the time to:

1. Explain what a reverse proxy was
2. How DDoS attacks worked
3. What bots did exactly
4. How NullCordX filtered them

And not only that: he gave me his proxy. He gave me access to NullCordX at no cost.

I installed it following his instructions. And for the first time in months, my server was stable. The bots kept coming, but the proxy filtered them before they reached the real server. It was like magic.

But more important than the technical solution was what Ismael awakened in me: curiosity.

The Question That Changed My Life

After the server was stable, I kept thinking:

“How does this work? How does the proxy know which connection is real and which is a bot? How is a DDoS attack done? Who was attacking me and why?”

Those questions consumed me. I couldn’t let them go. So I started investigating.

My first investigations

I started with the basics:

• What is a network protocol?
• How does TCP/IP work?
• What is a handshake?
• How is a connection established between client and server?

I read forums, watched videos, asked on Discord. But the best way to learn was to experiment.

I already had Kali Linux installed in dual boot (I had installed it when I learned about servers). At that time I only used it because “it looked cool” and had hacking tools. But now I had a real purpose.

Learning with Kali Linux

Kali Linux came with hundreds of pre-installed security tools. I started exploring them one by one:

Wireshark

My first serious tool. It captured all network traffic and showed it in detail. I could see exactly what was happening when someone connected to my server:

• SYN packets (connection request)
• ACK packets (confirmation)
• Data being transmitted

It was fascinating to see the network “from the inside”. It was like seeing The Matrix for the first time.

Nmap

I learned to scan ports, detect services, identify operating systems. I scanned my own server to see what ports were open and what information I was exposing.

I discovered I had several unnecessary ports open. I closed them. First security lesson learned: minimal attack surface.

Metasploit

This was more advanced. I didn’t fully understand it at first, but gradually I learned about exploits, payloads, and known vulnerabilities.

Aircrack-ng

Although I didn’t use it for anything malicious, learning about WiFi security taught me important concepts about encryption, handshakes, and authentication protocols.

Creating My Own Tools

After using existing tools for a while, I wanted to understand how they worked “under the hood”. The best way to learn is to build. So I started creating my own tools.

1. Simple Port Scanner

My first tool was a basic port scanner in Python. It wasn’t as sophisticated as Nmap, but I made it:

What it did:

• Scanned ports from 1 to 1000
• Identified which were open
• Showed the common service associated with the port
• Saved results to a file

What I learned:

• How sockets work
• The difference between TCP and UDP ports
• Why some scans are “noisy” and others “stealthy”
• Concepts of timeout and threading

2. IP Logger for Discord Bots

I created a Discord bot that logged who clicked certain links. It was to understand:

• How redirects work
• How to obtain client information (IP, User-Agent, etc.)
• How activity can be tracked

What it did:

• Generated unique links
• When someone clicked, it captured: IP, browser, operating system
• Sent information to a Discord channel
• Kept a log of all visits

Important lesson: This taught me about privacy and why it’s important. I saw how easy it was to collect information without people realizing. Since then, I became much more conscious about what links I click and what information I share.

3. Educational Login Bruteforcer

To understand how brute force attacks work, I created a simple script that tried to guess passwords.

What it did:

• Read a list of common passwords (wordlist)
• Tried each one against a login endpoint
• Counted attempts per second
• Showed how long it would take to try all combinations

What I learned:

• Why weak passwords are dangerous
• The importance of rate limiting
• Why two-factor authentication (2FA) is crucial
• Concepts of password hashing and salting

4. Network Traffic Analyzer

A tool that monitored my Minecraft server traffic in real-time.

What it did:

• Captured incoming packets
• Identified suspicious patterns (many connections from one IP)
• Alerted when it detected a possible attack
• Generated traffic statistics

What I learned:

• Traffic pattern analysis
• Anomaly detection
• Basic IDS (Intrusion Detection System) concepts
• Why proactive monitoring is essential

5. Simple Hash Cracker

To understand how hashed passwords are cracked:

What it did:

• Took an MD5 or SHA1 hash
• Tried words from a dictionary
• Compared hashes
• Showed the password if found

What I learned:

• Difference between hashing and encryption
• Why MD5 and SHA1 are no longer secure
• The importance of salting
• Why rainbow tables work

From Defense to Investigation

Over time, my focus changed. I no longer just wanted to defend my own systems. I wanted to understand the complete cybersecurity landscape:

Finding vulnerabilities

I started looking for vulnerabilities in systems (always with permission or in test environments):

• Misconfigured servers
• APIs without authentication
• SQL injections in forms
• Cross-Site Scripting (XSS) in web applications
• Exposure of sensitive information

Each vulnerability I found was a lesson about what not to do when building my own systems.

Bug Bounty Programs

I discovered that companies paid for finding vulnerabilities. Platforms like HackerOne and Bugcrowd. Although I didn’t dedicate myself full-time, it was fascinating to see how the industry valued people who found security issues.

Responsible Disclosure

I learned about responsible disclosure: if you find a vulnerability, you don’t publish it immediately. You contact the owner, give them time to fix it, and then (if they agree) you can share the finding educationally.

This taught me that cybersecurity isn’t just technical. It’s also ethical.

My Cybersecurity Philosophy

Today, several years later, cybersecurity is one of my greatest passions (along with software architecture). But my approach is specific:

1. System Protection

I don’t just build functional software. I build secure software:

• Robust authentication
• Granular authorization
• Encryption of sensitive data
• Input validation
• Rate limiting
• Security logging
• Principle of least privilege

2. Protection of People’s Information

I take privacy very seriously. After seeing how easy it is to collect information, I understand the responsibility we have as developers:

• Minimize collected data
• Encrypt everything sensitive
• Don’t sell/share user data
• Comply with GDPR, CCPA, and privacy regulations
• Give users control over their information

3. Fighting Cybercriminals

This sounds dramatic, but it’s real. Every secure system I build is a system that attackers can’t compromise. Every vulnerability I find and report is a door I close before the bad guys use it.

4. Education

I share what I know. I write about security. I explain concepts. Because I believe that more security-conscious developers = a safer internet for everyone.

Lessons I Learned

Lesson 1: Security is not optional

You can’t add security “later”. It has to be part of the design from day 1. Every architectural decision has security implications.

Lesson 2: Assume you will be attacked

It’s not “if” you’re attacked, it’s “when”. Especially if your project grows. Prepare from the beginning.

Lesson 3: The weakest link

Your system is only as secure as its weakest part. You can have the world’s best encryption, but if your users use “password123”, it doesn’t matter.

Lesson 4: Security is a process, not a product

You don’t “finish” security. It’s constant:

• New vulnerabilities are discovered
• New attacks are developed
• Best practices evolve

You have to stay updated.

Lesson 5: Knowledge is power, but also responsibility

Knowing how to break systems gives you power. But with that power comes the responsibility to use it ethically. Always.

Full Circle

It’s ironic: the attacks on my Minecraft network, which almost made me close the project, ended up giving me one of the greatest passions of my life.

If those attacks hadn’t happened, if Ismael hadn’t helped me, if I hadn’t had that curiosity of “how does this work?”, I probably wouldn’t be where I am today.

Today, when I build systems like Invitex or any other project, security is at the center:

• Robust authentication with JWT
• Encryption of sensitive data
• Rate limiting on all endpoints
• Security event logging
• Regular code audits
• Penetration testing

And when I see other developers, especially young ones, having security problems in their projects, I try to do what Ismael did for me: help without expecting anything in return.

My Final Message

If you’re a developer and haven’t thought about security, start today. You don’t need to be an expert. Start with the basics:

To begin:

1. Learn about OWASP Top 10 (the most common vulnerabilities)
2. Never store passwords in plain text
3. Validate and sanitize all inputs
4. Use HTTPS always
5. Implement proper authentication
6. Learn about SQL injection and how to prevent it
7. Understand XSS and CSRF

To go deeper:

1. Install Kali Linux in a VM
2. Practice in legal environments (HackTheBox, TryHackMe)
3. Read bug bounty reports
4. Follow security experts
5. Build simple tools to understand concepts

And most importantly: use your knowledge for good. The world needs more defenders, not more attackers.

Cybersecurity isn’t just about code. It’s about protecting real people from real harm. It’s a responsibility that all developers share.

Thank you, Ismael, wherever you are. Your act of kindness to an 11-year-old kid completely changed my life. I hope to do the same for others.