[c-nsp] Sampled netflow & compliance issues

Dobbins, Roland rdobbins at arbor.net
Thu Feb 9 07:38:29 EST 2012


On Feb 9, 2012, at 4:44 PM, Phil Mayers wrote:

> When providers use sampled netflow, how do they typically deal with issues where a miscreant simply denies they did it on the basis that 
> "sampling" was in use?

ISPs don't typically deal with miscreants, per se, except in terms of blocking DDoS attacks they launch, taking down their botnet C&Cs, et. al., heh.

The only issue of this type I've ever run into was a minor kerfluffle about 10 years ago in Italy, involving some endpoint network disputing their ISP bill because it was based upon sampled NetFlow.  I pointed out that a) the sampled NetFlow, if it was in fact inaccurate, would *undercount*, and b) that it's easy enough to compare NetFlow stats to SNMP stats in order to verify the verisimilitude of the former.

That pretty much resolved the issue.

;>  

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list