On Fri, Aug 31, 2018 at 11:09:19AM +0200, H I Baysal wrote:
My personal view is, as long as you can store your flow info in a timeseries database (like influxdb and NOT SQL LIKE!!!!!!!) you can do whatever you want with the (raw) data. And create custom triggers for different calculations.
For one of our customers I've deployed good old pmacct + MySQL (using memory engine) backend for DDoS detection purposes. It has some drawbacks (e.g. one has to frequently delete old records to keep tables fit and fast) but it allows asking complex SQL queries against these short term data (e.g. different detection logic per subnets) or precompute with triggers.
Flows are on the fly and are coming in constantly, you could have a calculation like group by srcip and whatever protocol you want or just srcip,
Beware of high cardinality issues when facing random src IP floods. BTW, once again pmacct (with some glue) is nice for feeding flow data into time series database. It can pre aggregate and pre filter low volume flows to reduce storage requirements. -- Paweł Małachowski