I have a budget minded client who want to see when there is a ddos attack on the network so they can blackhole route the attack with a homespun tool. Currently they have devices exporting only sflow traffic. The sysadmin says that they need different hardware and full netflow export for ddos detection, is that accurate?
In my experience sFlow is actually really good for fast DDoS detection, at least for volumetric DDoS attacks like reflection attacks or packet floods. The reason for this lies in the differences between sFlow and NetFlow.
NetFlow keeps state in the router, and if the flow is either inactive for awhile (usually 15 seconds or so), or goes on long (usually 60 seconds) then the summary state of that flow is sent to the collector. This means an accurate account of the traffic is made, but might not arrive at your detector until the attack is already a minute underway!
Unlike NetFlow, the sFlow strategy is to send packet samples every 1 in N (usually 1/512 or 1/1024 or so). This means your detection software can "see" the attack almost immediately!
So stick with the sFlow exports, no need to add hardware. Here is some additional detail on the differences between NetFlow and sFlow: http://www.flowtraq.com/corporate/resources/whitepapers/the-netflowsflowcflowjflow-flow-dilemma/