4 Sep
2015
4 Sep
'15
12:31 a.m.
On Thu, Sep 3, 2015 at 2:03 AM, coderman <coderman@gmail.com> wrote:
there is a second limit here, which is the netflow channel capacity / storage limit, if you introduce simulated flows at a rate beyond this capacity, you may become unobservable (via loss) resulting in failure to correlate.
I've seen ISP saturate their own backbone with netflow during nice UDP DoS, collectors had to be hung off local router ports after that.
this is why i asked about logical injection via userspace of billions of flows per minute as a resistance measure. (e.g. scapy or other raw inject across a border with cooperating peer, if needed.)
If the collector is not protected you can inject bogus flows, implicate your neighbor and fill disks.