29 Feb
2016
29 Feb
'16
2:32 a.m.
On 29 Feb 2016, at 14:26, Pavel Odintsov wrote:
From my own experience sflow should be selected if you are interested in internal packet payload (for dpi / ddos detection) or you need fast reaction time on some actions (ddos is best example).
This does not match my experience. In particular, the implied canard about flow telemetry being inadequate for timely DDoS detection/classification/traceback grows tiresome, as it's used for that purpose every day, and works quite well. If one is also using an IDMS-type device to mitigate DDoS traffic, the device sees the whole packet, anyways. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>