[c-nsp] NTP DDoS

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 18 06:20:11 EST 2014

On 18/02/14 10:55, Dobbins, Roland wrote:
> On Feb 18, 2014, at 5:48 PM, Phil Mayers <p.mayers at imperial.ac.uk>
> wrote:
>> AFAIK nfdump uses the start/end time in the flows to calculate pps,
>> so would this matter? Or is it a result of the sampling maths?
> It has to do with long flows - flows aren't exported from the
> router/switch until they're terminated.  Be sure your active flow
> timer is set to 1m/60s, and your inactive flow timer set to 5s.
> Otherwise, you'll have all these false peaks and valleys from your
> stats being backlogged up to 30m, which is the default for the active
> flow timer.

Not quite what I was asking. I'm familiar with the basic operation of 
netflow, but thanks for the explanation ;o)

Aaron reported his netflow was reporting too-high spikes. How would 
shorter flow timeouts - which equals high-frequency reporting 
bins/windows at the collector - result in *lower* pps counters?

I can only see this being the case of the collector doesn't honour 
start/end times, and does something dumb like assuming end time == 
reception time. AFAIK that's not the case with nfdump.

More information about the cisco-nsp mailing list