On 21.11.15 15:40, Evgeny Vainerman wrote: > Hi Peter, > > I suspect that problem appears when too many flows are reported. And the > issue is rather outcom of hudge number of flows than high bandwith. DDoS > attack is usually built of hudge number of very short flows (different source > IPs and ports). > I'm trying to create some artificial traffic to simulate this situation. > May you can advise any simulation tool?
Hmm .. not, that I am aware of. There are some studies regarding the accuracy of a total estimation from sampled flow data. Small flows are indeed a bigger problem and lead to bigger deviations of numbers. Cheers - Peter > > > = = = > Thanks, > Evgeny > > > -------- Original message -------- > From: Peter Haag <ph...@users.sourceforge.net> > Date: 21/11/2015 13:24 (GMT+02:00) > To: Evgeny Vainerman <evge...@securitydam.com>, > nfdump-discuss@lists.sourceforge.net > Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow > > Hi Evgeny, > Hmm .. difficult to tell. sfcpad simply reports, what it get's from the > exporter. > The amount of data in bytes is extrapolated according to the sampling rate. > In the event of a DDoS attack, there are many potential bottlenecks. So it's > not easy to pinpoint the reason. > > - Peter > > > On 22.10.15 12:52, Evgeny Vainerman wrote: >> Hi All >> >> I'm using Cisco NX-OS(tm) n3000 Switch, Software (n3000-uk9), Version >> 6.0(2)U2(3). >> >> My sflow setting is as following: >> >> sflow sampling-rate 5000 >> sflow max-datagram-size 2000 >> sflow collector-ip X.X.X.X vrf management >> sflow collector-port NNNN >> sflow agent-ip Y.Y.Y.Y >> >> Recently I've got a DDoS attack. >> PRTG has shown incoming traffic of ~27 Gbit/sec during ~10 minutes. >> >> sFlow reported more than 10K flows in one minute, each one's duration is 0.0 >> However, the total reported traffic is ~3.6 Gbit/sec: >> >> Summary: total flows: 11292, total bytes: 27533130000, total packets: >> 56460000, avg bps: 3672369329, avg pps: 941329, avg bpp: 487 >> Time window: 2015-10-21 11:25:00 - 2015-10-21 11:25:59 >> >> What can be the reason of the such gap? >> >> - >> Thanks, >> Evgeny >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> >> _______________________________________________ >> Nfdump-discuss mailing list >> Nfdump-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >> > > -- > Be nice to your netflow data. Use NfSen and nfdump :) > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Nfdump-discuss mailing list > Nfdump-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) ------------------------------------------------------------------------------ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
