FlowTraq > Blog > DDoS Mitigation Tips > Fast DDoS Mitigation with NetFlow

Fast DDoS Mitigation with NetFlow

Dr. Vincent Berk
By | January 16, 2015


NetFlow is an abundant data source in any organization, because most routing and switching devices will export some form of NetFlow/sFlow/jFlow/IPFIX. Using flow formats to detect an incoming Distributed Denial of Service DDoS attack is therefore both a logical choice, as well as a practical convenience. However, there are also drawbacks to using NetFlow which may impact detection speed if not carefully considered. Below are some factors that impact the effectiveness of fast DDoS detection using NetFlow.


A big factor in fast DDoS detection is the speed at which your routers or switches are exporting their flows. Most devices are configured to export flow records when the flow is 60 seconds old. This means it may add up to a full minute delay before the router starts sending evidence of the ongoing attack. Since for most devices this delay is configurable, we highly recommend you dial this number down to 15 or even 10 seconds. Every second counts when fighting an incoming DDoS.


When a “view”, or a “graph” of NetFlow data is displayed, you are actually looking at an aggregation of the underlying NetFlow. Meaning the actual flows are dropped in buckets before analysis can happen. Most typically DDoS attacks are detected based on a significant deviation in volume. This means a threshold is set, or a threshold is learned (both options are available in FlowTraq), and the “buckets” must fill to this threshold before a DDoS is detected. The bigger the buckets are, the longer it will take to fill to the threshold point. Smaller buckets overflow faster, leading to faster detections in most cases. What this means is that in general that the bigger/louder/volumunious a DDoS attack is, the sooner any detector will pick it up.

Conventional flow tools create their minute-by-minte (or even 5-minute-by-5-minute) buckets as the flow comes in, loosing granularity instantly. FlowTraq does this differently: flow is stored, and at the time of graph/view creation the buckets are filled dynamically at the required granularity, giving FlowTraq a detection speed advantage.


Sampling is technique used to reduce the load on the analysis engine, because analysis engines typically don’t scale well. When sampling 1:50,000 flows, the error in the DDoS analysis becomes much bigger. Meaning: you cannot simply trigger an alert when you cross a threshold, because there’s a potentially huge mathematical error in a high sampling rate. The bigger the sampling rate, the bigger the deviation needs to be to confidently say there is a DDoS happening. FlowTraq was designed to scale in clusters to handle large volumes traffic while reducing the need to sample data. This means the answers are more accurate, and FlowTraq alerts faster with higher confidence.

FlowTraq reduces or eliminates the need for sampling. More accuracy in your data, means more speed in your DDoS detection.

Finally, not all DDoS attacks are equally easy to pick up. SynFlood and reflection style attacks are more straightforward, since both are very volumetric and loud in their nature. SlowLoris and RUDY style DDoS attacks are much harder to see fast, as the traffic volumes may never exceed normal levels on the packet level. Instead, FlowTraq detects these attacks by tracking the number of concurrent sessions, which do go up substantially.