Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Vincent Berk
Vincent Berk
Connect Directly
E-Mail vvv

NetFlow Or sFlow For Fastest DDoS Detection?

It's still not an easy choice, but combined with the faster NetFlow exporters that have recently come to market, the speed advantage of sFlow is starting to fade.

Successful distributed denial of service (DDoS) triage and mitigation depend on two things: speed of detection and accuracy of detection. When users are considering a DDoS solution, I am often asked if it is best to use NetFlow or sFlow. To understand what is best, we must first take a brief look at the differences between the two types of flow data.

NetFlow (and the very closely related cFlow, JFlow, and IPFIX) is a summary record format, where a router or other exporting device tabulates the statistics on each flow of packets flying by. A flow is typically defined as the 5-tuple of sending IP and port, receiving IP and port, and the protocol. Each packet is tabulated and added to the appropriate row in the table: 1 more packet, X more bytes. State is kept on every flow that the exporter observes, and when a flow is 60 seconds old, the record is sent to the collector, which has the task of detecting the denial of service attack.

sFlow takes a slightly different approach, keeping no state at all. Instead sFlow randomly grabs one in every N packets flying by and immediately sends it to the collector. Although this approach may appear somewhat less accurate than the NetFlow tabulation, it is actually very good for fast DDoS detection. As the flood or amplification attack starts to ramp up, the rate of packets flowing by the exporter starts to increase very rapidly. This means that the number of packet samples going to the collector (which is responsible for the DDoS detection) starts to increase immediately.

Although the NetFlow approach ensures that no packet is missed, which is great for accurate network forensics, the nature of the export timer may result in much slower detections. If the NetFlow exporter has sufficient memory to keep state on all the attack traffic, it may take up to 60 seconds before the detecting collector sees any evidence of the attack! Thankfully though, many newer NetFlow-capable devices can be tuned to export at higher rates, resulting in improved detection times.

Detection accuracy is another matter. Since both sFlow and NetFlow transmit information on sending and receiving port and both transmit information on flag combinations and IP addresses, it is really up to the collector to make an accurate detection. Distinguishing a DNS or NTP amplification attack from a SMURF, or a FRAGGLE attack from a SynFlood, is key in performing effective mitigation. Most triage scenarios (whether using a scrubbing device or manually mitigating) rely on knowing a couple of key factors:

  1. What are the targets being hit?
  2. Are the bit/packet rates sufficiently high to impact the service?
  3. What is the specific type (or types) of attack?

Both NetFlow as well as sFlow provide sufficient detail to accurately make that determination if the detection logic is present in the collector software.

In practice, I have seen both sFlow and NetFlow variants deployed very successfully in DDoS detection. Although I have seen sFlow deployments detect DDoS attacks in as little as 3 seconds, the nature of the Internet has made it such that it can take some time before the attack reaches full strength.

Combined with the faster NetFlow exporters that have recently started to reach the market, the speed advantage of sFlow is starting to fade. Also, keep in mind that many environments will not have a choice, as the exporting hardware is already in place, supporting only a single type of export. So the choice may not be yours, and both approaches can be used to tune and finesse for detection speed and accuracy. Most importantly, if you have both, then use both. The better the visibility, the better your defense.

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
1/26/2016 | 1:00:57 PM
NetFlow vs SFlow
My experience with either NetFlow or SFlow has been extremely poor with all the Sonicwall NSA series firewalls. Even the highest model such as the NSA 6600, the statistical data gathered is completely inaccurate in terms of internal or external bandwidth consumption. It is not possible to correct the issue due to lack of complete protocol support in the firmware Dell provides. Sonicwall uses incorrect active timeout packets. Even adjusting this timeout does not correct the issue. This applies to both NetFlow v5 and v9. This is because Sonicwall uses different Netflow9-packets which do not fully comply with the standard of Cisco Netflow 9 packets (for which all sensors are developed for). If you or anyone is looking for a reliable enterprise grade firewall that supports NetFlow or Sflow functionallity, do not use Sonicwall. At just under $20,000 dollars for a Sonicwall NSA 6600...lack of NetFlow support makes it complete garbage.
<<   <   Page 2 / 2
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...