Why NetFlow Is Still the Best Mechanism for Detecting DDoS Attacks
Recently some network operators have raised questions about the use of flow data to detect distributed denial-of-service (DDoS) attacks, with the main concern being a perception that NetFlow export latency means an attack will not be detected quickly enough. Additionally, sometimes operators think that packet-based data such as sFlow provides better metrics than flow for detecting and identifying attacks.
However, these concerns are not accurate. Although NETSCOUT Arbor Sightline supports sFlow perfectly, flow-based telemetry (NetFlow, IPFIX) remains a more scalable, accurate, and fast option for detecting DDoS attacks. Many of the perceived benefits of sFlow stem from a misunderstanding of how flow export works.
How Does the Flow Export Process on a Router Work?
Routers sample packets to generate flow records. These records are maintained in the router’s flow cache. When a router samples a packet, it checks to see if there is a flow record already in the cache for the packet and, if so, updates it. If there isn’t a flow record in the cache, then a new record is created. If there isn’t room in the cache for the new flow record, an existing flow record (usually the oldest) is exported and cleared from the cache to make room. Understanding this, the key to ensuring fast flow export is to ensure that the flow cache runs “hot”—i.e., full or nearly full all the time.
But What About Flow Export Latency?
Perhaps the most common concern we hear is that with flow, DDoS attacks can’t be detected for at least a minute. However, with proper configuration, flow records can be exported for DDoS attacks within a few seconds at most, and usually within 1 second.
So with Flow Data, I Can Detect DDoS Attacks in 1 Second?
Yes! Many NETSCOUT customers using Arbor Sightline and Arbor Threat Mitigation System (TMS) who follow our recommended practices regularly report fast DDoS detection times of 1 second, and time to mitigation in as little as 10 seconds.
OK, How Should I Configure My Routers for Fast Flow Export?
NETSCOUT recommends using the following settings for router flow export:
- Active flow timer: 60 seconds
- Inactive flow timer: 5 seconds
- Sampling rate: 1:1,000 or 1,024 (ideal; for some routers, higher rates may be needed)
- Flow cache size: Tune to a size that keeps the cache running “hot” (i.e., mostly full)
Doesn’t Frequent Fast Flow Export Cause a High Load on the Router?
Flow export has not caused load issues in modern routers for many years. This is because records are a very compact way to represent flow (and packet) data and flow records are batched, with many flow records (as many as 30) being sent per User Datagram Protocol (UDP) packet. This makes the export process very efficient.
Doesn’t sFlow Provide More Data Than NetFlow?
The perception is that sFlow is exporting “packet” data and would be more useful for understanding the contents of the traffic and identifying DDoS traffic. However, sFlow exports only the first 128 bytes of a packet in most cases, which is enough to include full layer 4 headers, but only a fragment of the application payload. For example, this is often not enough data to include a full Domain Name System (DNS) query or the full DNS reply. It also can’t include a full Transport Layer Security (TLS) handshake message. And with encrypted traffic, any payload fragments are essentially useless.
In practice, for DDoS attack detection, NetFlow and IPFIX provide the same fidelity as sFlow records, but they do so much more compactly and efficiently, especially when using templated flow export such as NetFlow v9 and IPFIX.
I Hear You, But I Still Really Believe sFlow Is Better. Do You Support sFlow?
Yes! Although we believe NetFlow or IPFIX data is more efficient and effective, Arbor Sightline fully supports ingesting sFlow data—and has for more than 15 years. Arbor Sightline provides full feature parity for sFlow data, as it does with NetFlow or IPFIX.
For more about understanding and configuring flow, please see our NetFlow FAQ.