tag:blogger.com,1999:blog-1978652979840829013.post8008681808899737666..comments2024-02-13T07:05:41.069-08:00Comments on sFlow: DDoSPeterhttp://www.blogger.com/profile/00856599914190257147noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-1978652979840829013.post-4697707907900523622018-08-15T15:07:30.827-07:002018-08-15T15:07:30.827-07:00There are numerous examples on this blog, see DoSThere are numerous examples on this blog, see <a href="https://blog.sflow.com/search/label/DoS" rel="nofollow">DoS</a>Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-47716995282704922412018-07-06T04:34:56.233-07:002018-07-06T04:34:56.233-07:00please can i see the algorithm for the detection a...please can i see the algorithm for the detection and mitigation that will support sflow ..Anonymoushttps://www.blogger.com/profile/18352258255888887219noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-81623397420440845802018-03-26T07:28:59.868-07:002018-03-26T07:28:59.868-07:00Defining Flows describes the parameters available ...<a href="https://sflow-rt.com/define_flow.php" rel="nofollow">Defining Flows</a> describes the parameters available for defining sFlow-RT flows. Change value:'frames' to value:'bytes' to track traffic in bytes/second. sFlow-RT calculates the bytes/second value based on the size of each packet sample.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-89666458612315070802018-03-26T06:10:09.969-07:002018-03-26T06:10:09.969-07:00An example of what I am saying can be seen in the ...An example of what I am saying can be seen in the example above:<br />5M pps =30Gbps.<br />If this is the case, it means the size of each packet = 750 bytes per second.<br />Is this correct and if yes, is it the case always?<br />Thanks. Lawal Babatunde Hafishttps://www.blogger.com/profile/18133659173842613559noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-36356907521227327372018-03-26T06:03:53.527-07:002018-03-26T06:03:53.527-07:00I am very grateful for your response sir, however,...I am very grateful for your response sir, however, I have one more question.<br />How do I convert the packet size in sFlow to bit/sec or I should rather say, what is the size of each packet in bytes?<br />Thank you for your candid and timely support.Lawal Babatunde Hafishttps://www.blogger.com/profile/18133659173842613559noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-54294763163026679632018-03-24T11:21:54.079-07:002018-03-24T11:21:54.079-07:00The UDP flood attacks described in this article ge...The UDP flood attacks described in this article generate orders of magnitude more packets/second than you would normally see on the network, so setting a threshold is not very difficult. A conservative approach (to eliminate false positives) is to determine the level of UDP traffic that would saturate WAN bandwidth, or disrupt services, and set a threshold to trigger at that level of traffic. Alternatively, you could look at normal UDP levels on the network and set a threshold 10 times the peak values you expect to see.<br /><br />There are a number of <a href="http://blog.sflow.com/search/label/DoS" rel="nofollow">DoS</a> related articles on this blog that look at different attacks and mitigation strategies that you might find useful.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-54134156766788461182018-03-24T01:38:10.057-07:002018-03-24T01:38:10.057-07:00How do you differentiate a legitimate traffic surg...How do you differentiate a legitimate traffic surge from a DDoS attack in sFlow with regards to setting of threshold values?<br />ThanksLawal Babatunde Hafishttps://www.blogger.com/profile/18133659173842613559noreply@blogger.com