Understanding Netflow Latency and Effectiveness in Detecting and Mitigating DDoS Attacks
While we believe that Netflow or IPFIX data is more efficient and effective, Sightline fully supports ingesting sFlow data and has for over 15 years.
Recently some network operators have raised concerns about the use of flow data as a DDoS detection mechanism. The main concern is usually a perception that netflow export has high latency, i.e. that the attack will not be detected quickly because the netflow won’t be sent to Sightline for a minute or so until after the attack has already caused an outage. There is also sometimes a concern that packet-based data such as sFlow provides better data than flow to detect and identify attacks.
While understandable for network operators who haven’t worked with flow-based telemetry yet, these concerns are not accurate. While Sightline does support sFlow perfectly well if customers prefer to use it, flow-based telemetry (Netflow, IPFIX) remains a more scalable, accurate, and fast option to detect DDoS attacks. Many of the perceived benefits of sFlow stem from a misunderstanding of how flow export works. With this FAQ, we hope to clear up these misunderstandings and false claims.