Effective sampling methods are crucial for detecting and mitigating DDoS attacks. During a recent webinar, Toby Smith, a seasoned network security expert with over a decade of experience at Corero Network Security, delved into the nuances of sampling, focusing on sFlow and its role in Corero’s analytics-driven DDoS protection solutions.
Key Sampling Techniques: Flat vs. Relative
Sampling is the backbone of traffic analysis. Toby outlined two main sampling methods:
- Flat Sampling: This approach collects a fixed number of samples regardless of the dataset size. For instance, taking four samples from every city—whether it’s Paris or Rochester—ensures predictability in storage and analysis. However, it can obscure the broader traffic patterns during anomalies like DDoS attacks.
- Relative Sampling: This method uses a fixed sample rate. Sampling one out of every 5,000 packets will create more samples during a volumetric attack. While relative sampling excels at identifying anomalies, it can strain storage and analytics systems during peak traffic periods.
Corero’s Approach: Leveraging Both Sampling Methods
To balance the strengths of both methods, Corero employs an integrated approach within its SmartWall ONE™ solution:
- The (Network Threat Defense (NTD): This hardware blocks attacks and performs relative sampling, capturing more data during high-traffic events.
- The Central Management Server (CMS): processes relative samples, selects five samples per second for flat sampling, and generates metadata summarizing traffic patterns.
- The SecureWatch Analytics (SWA) Platform: Powered by Splunk, this platform offers robust analytics through detailed event logs (flat samples) and dynamic traffic charts (relative samples).
This architecture ensures both granularity and scalability, allowing users to detect and analyze anomalies effectively without overwhelming the system.
Why Both Methods Matter
The webinar emphasized that neither flat nor relative sampling alone is sufficient. Flat sampling provides consistency and predictability, essential for long-term storage and basic analysis. Meanwhile, relative sampling captures the dynamic nature of network traffic, pinpointing anomalies like DDoS attacks with precision. Used together, they provide a comprehensive view, empowering organizations to protect their networks efficiently.
Conclusion: The Corero Advantage
Corero Network Security’s unique approach bridges the gap between predictability and real-time insight. By integrating cutting-edge sampling techniques into its solutions, Corero enables businesses to mitigate DDoS threats effectively, ensuring service availability and peace of mind.
