...
opFlow can detect anomalies by determining an average network usage baseline and comparing it with traffic of a suspected anomaly event. Using a threshold system, you could create a rule to notify you of network behavior which current value exceeds the mean by two or three times the standard deviation. DoS attacks flood the network with packets from an untrusted source and usually it is a rather large packet size. Packet sizes should be no larger than 150 bytes, creating an ingress policy for specific ports to discard packets larger than 150 bytes could prevent some DoS attacks from ever occurring.
NetFlow collects: Packet source, Port number, Destination Packet size, and Protocol number.