Successful DDoS triage and mitigation depend on two things: speed of detection and accuracy of detection. When users are considering a DDoS solution, I am often asked if it is best to use NetFlow or sFlow. NetFlow is a summary record format, where a router or other exporting device tabulates statistics on each flow of packets. sFlow randomly grabs one in every N packets flying by and immediately sends it to the collector. The nature of the Internet has made it such that it can take some time before the attack reaches full strength.”]
Source: https://www.darkreading.com/attacks-breaches/netflow-or-sflow-for-fastest-ddos-detection-