[c-nsp] NTP DDoS

Dobbins, Roland rdobbins at arbor.net
Tue Feb 18 06:50:54 EST 2014

On Feb 18, 2014, at 6:20 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> Aaron reported his netflow was reporting too-high spikes. How would shorter flow timeouts - which equals high-frequency reporting bins/windows at the collector - result in *lower* pps counters?

Because the spikes may be artificial, artifacts of backlogged stats.

> I can only see this being the case of the collector doesn't honour start/end times, and does something dumb like assuming end time == reception time. AFAIK that's not the case with nfdump.

Some do, some don't.  Getting your stats 30m late isn't helpful, in any event.

I've seen artificial spikes in bps/pps take place many, many times due to active flow timer misconfiguration, that's why I suggested checking the active flow timer.  YMMV.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the cisco-nsp mailing list