[c-nsp] NTP DDoS
Dobbins, Roland
rdobbins at arbor.net
Tue Feb 18 06:50:54 EST 2014
On Feb 18, 2014, at 6:20 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> Aaron reported his netflow was reporting too-high spikes. How would shorter flow timeouts - which equals high-frequency reporting bins/windows at the collector - result in *lower* pps counters?
Because the spikes may be artificial, artifacts of backlogged stats.
> I can only see this being the case of the collector doesn't honour start/end times, and does something dumb like assuming end time == reception time. AFAIK that's not the case with nfdump.
Some do, some don't. Getting your stats 30m late isn't helpful, in any event.
I've seen artificial spikes in bps/pps take place many, many times due to active flow timer misconfiguration, that's why I suggested checking the active flow timer. YMMV.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list