[c-nsp] NTP DDoS

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 18 05:48:47 EST 2014

On 18/02/14 09:20, Dobbins, Roland wrote:
> On Feb 18, 2014, at 2:15 PM, Aaron <aaron1 at gvtc.com> wrote:
>> Usually nfsen seems to be pretty accurate, is there a reason for
>> that ~40 gbps reading during that ntp attack ?
> Have you set your active flow timer to 60s/1m, so as to avoid
> backlogged spikes?

AFAIK nfdump uses the start/end time in the flows to calculate pps, so 
would this matter? Or is it a result of the sampling maths?

More information about the cisco-nsp mailing list