[c-nsp] Sampled netflow & compliance issues
Dobbins, Roland
rdobbins at arbor.net
Thu Feb 9 07:38:29 EST 2012
On Feb 9, 2012, at 4:44 PM, Phil Mayers wrote:
> When providers use sampled netflow, how do they typically deal with issues where a miscreant simply denies they did it on the basis that
> "sampling" was in use?
ISPs don't typically deal with miscreants, per se, except in terms of blocking DDoS attacks they launch, taking down their botnet C&Cs, et. al., heh.
The only issue of this type I've ever run into was a minor kerfluffle about 10 years ago in Italy, involving some endpoint network disputing their ISP bill because it was based upon sampled NetFlow. I pointed out that a) the sampled NetFlow, if it was in fact inaccurate, would *undercount*, and b) that it's easy enough to compare NetFlow stats to SNMP stats in order to verify the verisimilitude of the former.
That pretty much resolved the issue.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list