We used ip accounting the other night to detect and disable a large
number of worm infected users that took out the router completely.. I
think net flow would have been too much overhead at the time... Once we
were down to a more manageable number of infected users, we used netflow
to pinpoint them immediately... (Note, we don't leave netflow on all
the time)
One method for limiting netflow accounting to manageable ammounts is to
access-list the port involved. This is why I did institute 135 blocking.
This flags the flow as inactive which only holds it for like 15 seconds
on default. Of course, this still may not be enough for some routers. I
just happen to have prepared for this actual event due to constant DDOS
attacks about nine months ago (reverse view, change rule matches).
