Graph processing difference for DDoS and FMC
Calculated bandwidth for graphs FMC (Flowmon Monitoring Center) and DDoS (Distributed Denial of Service) may differ due to different calculation mechanism.
Why the graph between the FMC and DDoS differ?
|Steps to Reproduce:|
All flows are received by Collector with a delay. This depend on the duration of the active and inactive timeout therefore DDoS needs to detect bandwidth in real time.
DDoS calculates the bandwidth for each flow received by Collector (Bytes/duration) and this value is stored in buffer (floating time window of anomaly length) for each second. If the flows duration is 0s and these flows arrived in same time, all these flows are aggregated and statistic is calculated with duration 1s. At certain moment, whole duration of the flow is not included for statistic calculation. This is because only the current bandwith is important for detection. Therefore, the longer duration of the flow causes bigger differences between FMC and DDoS graphs.
Example of Buffer function: