NetFlow data can be used to identify attacks on your network such as denial of service (DoS), viruses, and worms. Changes in network behavior is represented clearly with NetFlow data and understanding these deviations from normalcy can help in identifying harmful anomalies. An event or condition in the network that deviates from previously typical traffic patterns is considered an anomaly.
opFlow can detect anomalies by determining an average network usage baseline and comparing it with traffic of a suspected anomaly event. DoS attacks flood the network with packets from an untrusted source and usually it is a rather large packet size. Packet sizes should be no larger than 150 bytes, creating an ingress policy for specific ports to discard packets larger than 150 bytes could prevent some DoS attacks from ever occurring.
NetFlow collects the Packet source, Port number, Destination Packet size, and Protocol number. Understanding what ports are commonly used on your network can help you in determining if abnormal activity is coming through. Using the Conversation Summary feature in opFlow allows for a detailed look into all conversations happening on your network. In Figure 1 below, you can see that I am filtering the ports to only show Src Port 443. I have it sorted to show packets received in descending order to see if the packet count is any higher than normal; this is why understanding what normal packet sizes are as well as their ports/sources is important for any network engineer.
Figure 1 - Conversation Summary