THRESHOLD DETECT DDOS?

[jcb]

Recently our network has suffered an attack of DDOS. Began 12:00 AM and was until 08:00 AM the morning (8 hours duration). During this period, the rate of use of the link main was of 103 Mbps. I think that if we had configuring a threshold, we would have received a ALERT. How to configure a threshold for this case? By what I can verify, every 5 minutes, a status is generated: Alerta Trigger, Warm Trigger, Re-Trigger,etc. If I define my BREACH WINDOW in 15 minutes and the number of times(BREACH COUNT) that the threshold needs to be violated in 2, then in the period of 15 minutes to occur two breaches of threshold, I receive the email alert. If occurs only a violation of the HIGH THRESHOLD, then I am not warning; but no more than a notice of warning by the shape of an WARNING HIGH THRESHOLD. Then what would be the parameters to detect a DDOS with this lenght of time?