First, I would ABSOLUTELY agree with the approach darragh.delaney outlines. When troubleshooting a potential attack, there is really no such thing as too much information.
However, to your point of not wanting to use DPI; you should be able to easily capture this information from NTA as it is capturing the following 7 fields from your packet headers:
- ifIndex
- Source IP
- Destination IP
- IP Protocol
- Source port
- Destination Port
- ToS
While not nearly as verbose as DPI, with the right architecture you can certainly ID 'safe' traffic for your network. By default, this should assist you with quickly identifying 'potential threat' traffic as it occurs. Unfortunately, I do not know off-hand of a video series devoted to identifying DDoS via NetFlow. If you care to trudge through the white-papers, here's a really good start: A Cisco Guide to Defending Against Distributed Denial of Service Attacks - Cisco Systems
I would like to mention one quick thing though; you can't run NTA without NPM. I would really look at NPM v11 and test the free Network Packet Analysis Sensor. I think you'll be surprised at how easy it is to use and how it really ties in the missing data that you usually are looking for after starting with NTA.
Loop1 Systems: SolarWinds Training and Professional Services
- LinkedIN: Loop1 Systems
- Facebook: Loop1 Systems
- Twitter: @Loop1Systems