[c-nsp] NTP DDoS

Dobbins, Roland rdobbins at arbor.net
Tue Feb 18 05:55:31 EST 2014


On Feb 18, 2014, at 5:48 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> AFAIK nfdump uses the start/end time in the flows to calculate pps, so would this matter? Or is it a result of the sampling maths?

It has to do with long flows - flows aren't exported from the router/switch until they're terminated.  Be sure your active flow timer is set to 1m/60s, and your inactive flow timer set to 5s.

Otherwise, you'll have all these false peaks and valleys from your stats being backlogged up to 30m, which is the default for the active flow timer.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list