几天前我们遇到了 DDoS，以下是 netflow 数据，但我对我在这里看到的数字感到困惑。

如果您查看第一Bytes(%)列，67.2 G(80.6)那么它以 GB 为单位，这意味着什么？我检查了网络接口图，我只看到2G链接出现尖峰。

Top 10 IP Addr ordered by packets:
Date first seen          Duration Proto           IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2017-01-02 13:49:03.031   960.927 any        70.xx.xx.26    18659( 1.5)   52.3 M(29.4)   67.2 G(80.6)    54456  559.6 M  1284
2017-01-02 13:56:24.412   258.948 any       23.xx.xx.62        9( 0.0)   15.8 M( 8.9)   21.9 G(26.3)    60904  677.0 M  1389
2017-01-02 13:49:02.981   961.013 any         70.xx.xx.6    76721( 6.0)   15.3 M( 8.6)    2.1 G( 2.5)    15957   17.4 M   136
2017-01-02 13:49:03.029   960.970 any         70.xx.xx.5    76277( 5.9)   15.1 M( 8.5)    2.1 G( 2.5)    15675   17.1 M   136

编辑

网络流量配置：

flow record netflow-record
 match ipv4 destination address
 match ipv4 source address
 match transport destination-port
 match transport source-port
 match ipv4 protocol
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
flow exporter netflow-exporter
 destination x.x.x.x
 source TenGigabitEthernet0/0/0
 transport udp 9995
!
flow monitor netflow-monitor
 exporter netflow-exporter
 cache timeout active 60
 record netflow-record