Re: automatic rtbh trigger using flow data

["Roland Dobbins" <rdobbins () arbor net>]

On 31 Aug 2018, at 16:33, Ryan Hamel wrote:

> From experience, sflows are horribly inaccurate for DDoS detection, 
> since the volume could disrupt the control plane and render the 
> process useless, thus not giving data to the external system to act 
> upon it.

On the contrary, flow telemetry in general works quite well for DDoS 
detection/classification/traceback, and is widely utilized for such 
purposes; it has been for many years.

I'm not a big fan of s/Flow comparatively speaking, but it and NetFlow, 
IPFIX, et. al. have proven themselves over the years, assuming that the 
flow export parameters on the exporting devices are configured 
correctly, and the collection/analysis systems are configured optimally.

Flow telemetry is management-plane, not control-plane.  Implementing 
network infrastructure self-protection BCPs such as iACLs is definitely 
recommended in general.


-----------------------------------
Roland Dobbins <rdobbins () arbor net>