Why netflow is not an best solution for DoS/DDoS attack detection?
* It need additional licenses or even hardware (Juniper MX240, MX480, MX960 - additional license)
* It realized in software and can overload equipment (Juniper SRX, J-series, Microtic, VmWare, Linux)
* Even on top equipment flow-active-timeout starts from 60 seconds and it's very slow for massive attacks and slow-speed-attacks both