[nsp-sec] Jflow/NetFlow/IPFix/SFlow

[John Brown]

Hi, While maybe not the "right" place to post this, one list member
suggested that I should
given the implications to helping with DDOS and related.
So here it goes with my flame retardant suit on ;)

We are looking to deploy some new juniper MX480 boxes at various IX locations
around the globe.  Primary for peering / interconnect and selling some services.

Recently we found when DM(Google) ran the DDOS traceback test that we didnt
have the visibility we really wanted.  Part of it seems to be based on
our existing juniper
kit not being able to push good flow data.  MPC3D's and the like

We raised this to our juniper folks and the suggested new MPC's and a
JFlow license.
Ergo, buy more stuff :)

I see flow collection from three types of ports.
1. Customer facing port
2. Transit facing port
3. Peer / IX facing port.

Types 1 and 2 seem to be covered by NetFlow v9 or similar type of flow
information.

Type 3 seems to be a bit harder in that when connected to an IX fabric
you really need
MAC address so that you know which neighbor/peer on the IX fabric sent
you the packet.

We are pretty much married to Juniper Kit at this point.

We are collecting with ELK and similar OS tools.
We want good visibility for traceback and for alarming / reporting /
debugging / etc
We want the ability to definitively answer the question on where crap
is entering / exiting
our network.

It seems that marketing folks have cluttered up the terms.
How are folks solving this and what flow technology(ies) are you using?
Useful advise highly welcomed, willing to pay in beer or scotch :)

Many thanks in advance.