automatic rtbh trigger using flow data
rdobbins at arbor.net
Fri Aug 31 15:32:01 UTC 2018
On 31 Aug 2018, at 16:33, Ryan Hamel wrote:
> From experience, sflows are horribly inaccurate for DDoS detection,
> since the volume could disrupt the control plane and render the
> process useless, thus not giving data to the external system to act
> upon it.
On the contrary, flow telemetry in general works quite well for DDoS
detection/classification/traceback, and is widely utilized for such
purposes; it has been for many years.
I'm not a big fan of s/Flow comparatively speaking, but it and NetFlow,
IPFIX, et. al. have proven themselves over the years, assuming that the
flow export parameters on the exporting devices are configured
correctly, and the collection/analysis systems are configured optimally.
Flow telemetry is management-plane, not control-plane. Implementing
network infrastructure self-protection BCPs such as iACLs is definitely
recommended in general.
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG