The minimum active flow timeout time is 60 seconds, which is a very long time for DDOS attack detection. Why doesn’t Mikrotik allow lower times?
Logically, CCRs do not have sFlow, nor PortMirroring, and if we only have NetFlow to extract traffic information with a minimum of 1 minute of time, we are left without protection against “fast” DDOS attacks.