...
As shown in Figure 4 we can see that the attack traffic is focused on the DNS server, 10.248.114.10.
Looking the flow data we see all the flows are a single packet, UDP, and the destination is port 53. We can also tell that none of these are valid DNS requests because at 1,308 bytes, the packet is way too big. DNS responses can be large but a single DNS request should not be more than 150 bytes. Based on this information, an ingress policy could be written that would discard any packets larger than 150 bytes that is destined to the DNS server on UDP port 53.
In the example below you can see how the opFlow server collects and analyzes NetFlow information received by the router
Figure 5 - NetFlow Diagram