Graph processing difference for DDoS and FMC

Calculated bandwidth for graphs FMC (Flowmon Monitoring Center) and DDoS (Distributed Denial of Service) may differ due to different calculation mechanism.
For purpose of detection rules, DDoS process traffic according to available information in the form of flow statistics, to create a view of traffic bandwidth in real time.

In general, the bandwidth for DDoS graph is lower that for FMC graph, because visibility is limited only to the set anomaly length.

FMC processess all flows that come in the profile granularity interval and then the bandwidth is calculated as "transferred bytes/granularity of the profile (in seconds)". FMC therefore cannot reflect the real view of the network in real time.

Product:DDoS

Version: Any

Platform: Any

Why the graph between the FMC and DDoS differ?

All flows are received by Collector with a delay. This depend on the duration of the active and inactive timeout therefore DDoS needs to detect bandwidth in real time.

DDoS calculates the bandwidth for each flow received by Collector (Bytes/duration) and this value is stored in buffer (floating time window of anomaly length) for each second. If the flows duration is 0s and these flows arrived in same time, all these flows are aggregated and statistic is calculated with duration 1s. At certain moment, whole duration of the flow is not included for statistic calculation. This is because only the current bandwith is important for detection. Therefore, the longer duration of the flow causes bigger differences between FMC and DDoS graphs.
To display bandwidth in a graph, statistics are aggregated in 30s interval.

To get smallest possible difference we recommend set lower active and inactive timeout e.g. (30/5).

Example of Buffer function:
-anomaly length 90s (each column represents 10s)
-for every second buffer saves statistics for new incomming flow
-for 4 received flows, bandwidth is changing in time