...
In the example in Figure 2 above we see UDP:32760 in the second row, this is displaying normal traffic for this particular network. The domain traffic in the first row seems unusual. Viewing this information we have an idea that the attack traffic is related to UDP destination port 53. In order to get a tighter vector on this traffic navigate to menu -> Views -> Conversation Map. The time interval will remain the same as the "Specific Time" filter entered in the Advanced menu earlier.
Figure 3 - Conversation Map
The flow data table is found below the Conversation Map. Click on the time header of the flow data table to sort based on time. Next, change the records per page to 500. The conversation map will change to represent the 500 displayed flow records. Click on a flow data page that represents the time of the DDoS attack well. The conversation map above is indicating that all the traffic is focused on one destination. Disable the "Zoom Lock" on the map, then zoom into the center to determine what the attack target is.
Figure 4 - Flow Data Table
As shown in Figure 4 we can see that the attack traffic is focused on the DNS server, 10.248.114.10.
In the example below you can see how the opFlow server collects and analyzes NetFlow information received by the router
...