On Feb 2, 2021, at 00:34, Douglas Fischer <fischerdouglas@gmail.com> wrote:

Or even know if already there is a solution to that and I'm trying to invent the wheel.

Many flow telemetry export implementations on routers/layer3 switches report both passed & dropped traffic on a continuous basis for DDoS detection/classification/traceback.

It's also possible to combine the detection/classification/traceback & flowspec trigger functions.

[Full disclosure: I work for a vendor of such systems.]

--------------------------------------------

Roland Dobbins <roland.dobbins@netscout.com>