On Mon, 2 Sep 2013, Dobbins, Roland wrote:
On Sep 3, 2013, at 4:34 AM, Jon Lewis wrote:
Having used it exactly for that, I disagree and am curious why you say
it's useless.
Because in any Internet-facing environment with any kind of traffic
diversity, it's non-deterministically skewed.
So, in a network environment of any scale, you can't actually know
whether or not a given source or destination is sending/receiving
unusual volumes of traffic, as you don't know what is usual.
Maybe if you're talking about using it in an IDS sort of way, I'd agree,
but for detecting the sort of huge scale anomoly found in DoS attacks, no.
At least for a "smaller" network that normally deals with traffic on the
order a gbit/s or so, the Sup720's netflow data definitely is useful for
DoS traffic characterization/investigation. I haven't looked at netflow
from one doing tens or hundreds of gbit/s.
I think your employer is clouding your vision.
Sure, netflow from a Sup720 isn't great, but if it's what you've got, it
can be used and relied upon. Maybe it doesn't play well with Arbor's
products, but that only makes it useless to Arbor.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
