Slashdot Mirror
Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?
rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"
What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?
The best way to do is to be.
Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.
Alas, unless every ISP participated, this model wouldn't work well.
If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.
You could let them think that you were "eating the cost", but everyone ones it would simply be passed to the customers in the end.
Keep up to date on current worms and other bandwidth threats. Notify your customers about these threats, and provide information on how to eliminate or reduce the impact.
Any massive bandwidth they log after that, is their responsibility. You notified them, and they did not listen.
After a few incidents like that, they will start to listen to your warning messages.
...
It sucks for them, but it's their server on the net and their responsibility to pay for the bandwidth used.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
"What? You were charged for that... oh wait... that's the... "internet tax"... you don't like it, write a letter to your congressman..."
If you are an ISP and you want to charge people for bandwidth caused by worms and DoS attacks, put that in your user agreement. If you are willing to swallow the cost of attacks, put that in your agreement. There's no need for regulations or insurance yet.
Is he hosting something on your servers or he has a box co-located? I would say he is responsible if he has to administer his box - otherwise, the ISP should bear the costs
|>
A class action lawsuit directed at MS on behalf of all the ISP's who have been flooded with viruses and lost money due to security holes in MS's products.
Stanley Feinbaum, professional journalist and master debater! God bless the USA!
you whiney bandwidth sucking basterdz!
you could host on angelfire, or you could learn to secure your site against these kinds of attacks by sniffing more glue.
thats what i did. my bandwidth bill was so low last monghth...
It is the job of the ISP to properly communicate to its customers the dangers of being on the web.
On one hand, if the ISP says that it is not accountable for attacks and internet slowdowns that it has no control over, then the people shouldn't expect anything when they happen. On the other hand, if the ISP uses this communication as an excuse not to protect itself properly against such attacks, then the customer should take his buisness elsewhere or be properly reimbursed for their losses.
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
A few different issues here:
... but if a big customers is going to walk over it, you need to make the right business decision
- yes, in genral, they should be responsible for their bandwidth
- even with something as simple as MRTG they should be able to have an idea of whether or not the service provider is billing correctly on burstable stuff
- if they haven't applied patches, then i can't see how a consumer of bandwidth could have any argument at all
The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.
Should /. pay the bill for the /. effect?
-Peace
Free as in "the Truth shall set you..."
Whether it is our fault or not, we will be paying for it. You can't expect the ISP to just pay the costs when they could charge their customers instead.
Considering the variety of bandwidth providers, acceptable terms of service(TOS) and all that, eventually, it will become a matter of taste, preference and terms that can be agreed with. How many subscribers want traffic shaping, inbound or outbound on their interface? Wouldn't customers PAY for making sure that the only traffic spikes they can get are mail or http related? I'm sure a lot of my hosting clients would love a system where they pay for the bandwidth they use, but that limits are in place to make sure excessive bandwidth usage is actually the usage they pay for.
Since DiffServ and other standards based solutions are ready to be implemented, perhaps you should consider talking to your most whiney clients about it?
Yes I know it doesn't apply to all clients, and not every provider has the extra router/switch cpu power to implement them on all links...
But wouldn't such a solution be a good way to keep the more demanding clients(increasing the value they get: bandwidth for the right traffic) and decreasing the tax hackers and Distributed DOS and misconfigured systems make them pay (for undesirable traffic). Maybe you should suggest this as a customer retention measure, for those clients where it makes business sense.
Well, on the one hand you have the credit card company model. They eat unauthorized charges all the time, and generally it is a good thing. Phone companies and other utilities do a similar thing, if you can prove the fraud, then they generally cut you some slack (though they might make you work for it). I think that this is a workable "consumer" friendly model. I think that generally, if one had a choice between two isp's and one said we're gonna charge you no matter what, and the other said that we won't charge you for malicous use, assuming you can prove it, then I think that the choice would be obvious (price comparos not withstanding of course).
I think it's simple to say you're responsible for your outbound traffic. If your machines are compromised, you should eat the bill for the traffic they generate. On the other hand, if you receive some wave of unwanted inbound traffic, you should definitely not be liable. Even a dropped UDP packet takes bandwidth.
In fact, I'd prefer a pricing model that is fixed for inbound and metered on the outbound. It puts a financial burden on spammers, copyright violators and the tragic/stupid victims viruses. On the other hand, if you've got something to sell, you should be more than happy to pay for bandwidth used to move that merchandise.
I've been thinking about this for a while - on the one hand, I wouldn't like to get a bill if one of my sites were getting DOS'ed to hell, but on the other hand I believe there should be an effort to make spamvertised sites pay by drinking their bandwidth dry en-masse.
As for slammer, the idiots running the servers with open ports to the databases should pay for their bandwidth - serves them right. Hell, they're already wasting money licensing the World's least secure web server, so why not throw a little more into the trashcan?
Code, Hardware, stuff like that.
It's pretty obvious when you think about it. Bandwidth isn't free and ultimately, all internet users end up paying indirectly.
The same way that taxpayers all end up paying for the bungles of politicians.
"Smoking helps you lose weight - one lung at a time" -- A. E. Neumann
Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.
Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.
This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.
If they're not willing to do what's required of them, they'll get stuck paying for it.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
is there such a thing as OC/48 bandwidth throttling?
:)
As far as I know, which is very little, there is no such thing. You get 2gbps and that's the end of it.. there's no such thing as "it's burstable to 10gbps..yada yada yada".. but why is the poor guy who can barely afford the T-1 getting penalized?
Just my opinion.. everyone has one.. I got more than most..
---
You can't judge a book by the way it wears its hair.
I think it depends on what kind of services you give your clients. For instance if you are offering shared hosting and the client gets killed by bandwidth baddies I would think it is the ISP's fault for not protecting the equipment. However if you are providing colo or complex colo and are merely providing bandwidth, then the client should be responsible for every byte of traffic that goes in and out. They are responsible for the hardware and software. How can the company be expected to look after that?
I work for a managed service provider. We would never charge our clients for the slammer virus if it had affected them (fortunately it didn't) but our colo customers would be looking at a very large bill about now.
"Laugh, and the whole world laughs with you. Cry, and they still think its funny." - Mr. Boffo
I think the customers in this case have the right to complain about paying for bandwidth that through no fault of thier own (and I stress if they are not at fault).
Ultimately the ISP should cover for such worm attacks but I can well understand why they might not want to. It sounds like it would be a good area for insurance.
: one has to realize the consequences (and the implications of burstable billing
I don't see how people can be wholely responsible for their incoming bandwidth without being able to shape their traffic at their ISP's side of the pipe.
I've always wondered where the cost for bandwidth comes from. I've assumed it is related to equipment and line maintenance, costs for professionals to maintain the equipment and expand the networks, and new equipment and housing.
Can someone give me an idea of where the price for bandwidth ultimately comes from?
Someday, you're going to die. Get over it.
I personally think that the current model for bandwidth needs to be changed. Right now the bandwidth providers are eating from both ends of the stick and laughing all the way to the bank. But the fact remains that many sites are not able to pay their bandwidth bills. If content on the net is disppearing, so will users.
I would propose that content providers be given free bandwidth provided by the telcos since, after all, they are the reasons people like me pay for broadband. In effect, the consumers will subsidize the cost of the content providers. After all, that's what you really pay that $20-50/mo for... The content!
It also would cause Individuals to generate greater pressure on Distributors to get patches out and visible to the general public. If the general public took more of an interest in internet security, there'd potentially be much fewer DDos Zombies out there.
There's nothing quite as eye-opening as a huge bill sitting on the table staring back at you.
And that's my 2 cents.
Perhaps the best solution would be to impliment a flat rate that under which, you would just pay a set amount per month. If you exceeded this, then you would pay on a burst billing method for the bandwidth beyond that.
The real question becomes where do you set the line? But that could be determined by the average user usage, perhaps a study could be done over the course of a few months to see where people fall on this whole thing.
RonB
It is human nature to take shortcuts in thinking.
If you work on the ISP side you should be able to throttle bursts of bandwidth with the consent of your users. Should they decline to be throttled then you should be able to charge. Why aren't you throttleing bandwidth right now. A thousandfold increase in bandwidth use should raise suspicions unless the iste was mentioned on slashdot ;-)
Hajo Monogamy: Belief so strong that millions of people end perfectly good relationships in order to start a new one.
If you control shared servers and/or if you do not give users a configurable blocking mechanism (firewall, IP addr/range blocker, for web services a bogus URL block or the ability to ban individuals who spam sites) then you are, in fact, responsible for the bogus bandwidth usage.
Anyone else look at the title and immediately think this could be the first back to back dupe?
After all, they have root access on the box. They're the admin.
For that matter, it should the customer's ass, not the host's if they get r00ted.
Sort of things that should be in writing in the hosting contracts, IMHO.
There are reasons to go both ways on this one. One one hand if
someone descides they don't like you on IRC and ping floods you a gigabyte, they charges for incoming bandwidth are not nice.
On the other hand charging everyone for outgoing bandwidth only, leaves operators of websites with a big bill which banner ads don't cover anymore.
I'd like to know which way charing goes in practise. If I got a fat connection to a big ISP or a big internet exchange, how would it usually be billed? Total traffic, incoming traffic,outgoing traffic, flat rate or based on content eg does it matter if I am search engine sending out content that people want or if am I feeding a load of web surfing end users getting conectn from others.
If you want to keep that customer, you do what it takes to keep the customer. Remember the golden rule, 1 bad customer experience gets passed onto 20 people. If you think that this customer is going to put with this, fine go ahead and charge them. If you don't you should suck it up. If they leave, not only will the money that you get from them goes to zero, but they will bad mouth you to enough other people that it does have a negative impact on you attempting to acquire more customers.
In other words, be a good guy, suck it up and the customer will trust you more the next time you attempt to raise their bill. Blow them off and the only that you might get from them is the finger.
I have but one question - what constitutes a content provider?
Should a system such as you propose ever come into existance, it'll be time for Internet 3, because the first one will have gone to hell in a bit bucket.
Plain and simple, the customer needs to pay for the bandwidth they used.
However a simple "You're exceeding your commit rate. What's going on?" works wonders. The thing is - do it as soon as you see it - not with an excessive bill at the end of the month.
This is why bandwidth at an "all you can eat" rate per month is best. This is why the Internet took off so much faster in the US than elsewhere in the world - local phone calls are free with a monthly bulk rate. Trying to break down the cost by quantity is fraught with complex issues that just aren't worth the trouble compared to a flat rate.
My previous employer was unfortunate enough to be attacked by a series of distributed ICMP ping flood attacks. Our bill jumped from under $1K per month (Canadian) to over $10K in less than a day.
We adjusted our monitoring process to detect these spikes early and contact our ISP to deny traffic from the offending subnets. Luckily, our ISP was willing to do this, even though they still incurred traffic from inbound packets. Luckily, these attacks originated from a few subnets that could be isolated.
As a further kludge, we eventually disabled ICMP altogether on our routers, and lived without ping and traceroute.
Having a host on the net is a risky proposition. You pay for inbound and outbound traffic, regardless of the source, packet type, or quantity. DDoS attacks can not only prevent your server from being accessable, they could literally bankrupt you if you become a target and don't take preventative measures.
Hmm... One click bankruptcy. I wonder if anyone has tried to patent this yet...
Our ISP was technically capable of detecting and thwarting various attacks. Ultimately, the policy of monitoring and contacting an ISP when traffic exceeds a certain threshold seems like a workable solution for average co-locaters.
Given the architecture of the Internet, it's difficult to see how we could shift the burden to pay away from the server to the client. It seems like a problem remarkably similar to the problem of spam.
My car gets 40 rods to the hogshead, and that's the way I likes it!
So you have to pay for the downloads of bug fixes, or else you have to pay for not downloading the bug fixes ...
Don't go to a brothel if you want to buy broth
It's a pretty tough issue... seems like whoever initiated the malicious behavior should foot the bill, but in cases where that person can't be located then I guess the victims of the attacks just have to eat the cost. Seems like a good incentive for customers to keep servers patched and firewalled (though even that won't guard against all attacks), as well as provide assistance in tracking down the responsible persons.
That insurance idea is definately interesting. It would probably be a good idea for ISPs (or third-party comanies) to consider offering insurance plans for their services, in case of situations like those.
'Burstable' billing, or any other scheme for charging based on total traffic trasmitted, is a bad idea anyway. It creates additional overhead (and therefore cost) on the providers end, and unnecesarry paranoia for a customer.
Billing a fixed monthly amount for a particular rate of transfer is a much better option.. Eg, $400/mo, for a 2Mbit link (if its via a media that can go faster, rate-limit it to 2Mbit). No extra resources used to measure utilization, no surprises in the bill.
If your system is generating the traffic, then yes... you are responsible for it! We supplied a net connection to a neighbour, they ended up having an open relay for spamming, and a warez site... It was their fault it wasn't a "tight" machine... so they got the bill.
Now if you are getting hammered by worms on the inbound side and nothing gets through, then you can't be responsible for that.
Look at the phone companies. They have similar problems: 1) Telemarketers (source pays), 2) Junk faxes (source pays phone bill user pays consumables), 3) Junk calls to a Cell phone (user pays for airtime, and v-mail box etc. usually).
The cell phone users were/are so P.O'ed that it rarely happens and legislation is/will be in place.
There is _little_ way to spoof your phone number, so the ISP equivalent can easily find the source of the
junk call, and they (both telco and telemarketer) know it, so abuse is easier to deal with.
Watch for "security" to make it harder to deliver alot of e-mail junk without paying for the priviledge. I expect junk faxes to also fall to the courts.
Trouble, a mistake or fun, your choice
Good Question Who should pay for bandwidth usage?
Ideal Ans: the person(s) who used it.
Of course, this isn't possible due to a number of issues - including:
1) Typical Consumer isn't going to want to pay more than a fixed monthly (low) fee.
2) Theft of service/accidents/virus/worms.
Certianly in the USA courts lawyers will basically win cases if some party didn't do due diligence with regards to industry standard practices.
Thus, I'd suggest - if the Bandwidth useage is due to the customers failure to patch their systems within 30days (7 days? or something) of the patches being available - then the customer should pay.
Naturally, ISPs need to be more professional than some of their customer can ever be expected to be - and THUS should be patching their systems and filtering ASAP. (Probably should be within 24hrs for most patches .. ).
Of course Slapper took 10min or so to go around
the world SO some stuff will have to auto-magically
be updated ... the problem is then the
ability to doing testing and QA of changing is
basically an after the fact issue :-(
Yes, it will be a tough balancing act ... and
it may not work well since the issues can be
argued (but then they already are ... as per
the poster). This does seem to be the most
fair - creating interest in the various
parties to making their systems more secure.
--
othermark
(!wired)?(coffee++):(wired);
If you treat your customers like this, you're going to lose them. Simple as that.
I liked the analogy someone else came up with, such as someone running an extension cord from your house to theirs. Who is responsible here?
If I had hosting with your company, and the slammer bug hit servers that your sys admins failed to update, then you better eat that burstable bandwidth bill or a lawsuit couldn't be far behind (depending on the amount, of course). If the servers were my responsibility, including keeping them updated, etc, then I could understand your reasoning.
If a DDoS attack cripples my site, and you expect me to pay for that, you're sorely mistaken.
The simple fact is if they caused it, they paid for it. This includes patches/fixes the customer should've implemented. If you run and maintain that server for them, then no bill increase should be applied.
If someone out in the world caused it, a random malicious event that they just so happened to be on the brunt end of, just throw away that burstable bandwidth bill and make sure your customer knows you did them a favor.
It may not be your place as to pay for that second scenario, but you'll keep your customers longer, keep them happier and keep word of mouth on your company going strong.
It's just good business. Were this my company, I would never even think of treating customers this way.
This is simply a question of how your contract is written. If it says they pay for all inbound usage, then they pay for all inbound usage, except perhaps usage generated by your own systems (for various reasons which are not necessary to consider here).
Of course enforcing this may mean being unpopular with and/or losing the customer, but it's your call.
There's a big difference in bandwidth issues for co-location and for shared hosting. /. hammer syndrome).
If you put a server in someone else's building you should be accountable for bandwidth - after all, it's your software and your hardware using their bandwidth.
If you are running a site on someone else's server, then viral harm should not really be your problem - in the case of slammer types anyway. You have no control over patches or proper administration and therefore should not be accountable for bandwidth unless it's because you actually do get a massive spike in hits (ie. via the
Admins need to be taking care of their stuff and people that have servers need to have Admins...A lot of servers I've had to fix during the last few viral epidemics had not been patched or even looked at in a long time. Perhaps they didn't have admins...
I think it's kinda like having a fire...If you don't tend to it, it could be cause damage to other people and/or their property. And thus you are accountable for your own actions.
If you want to keep the customer, the first time it happens, you might want to forgive the excess bandwidth charges (while pointing out the specific clause in the contract that says you have every right to charge them), tell them that it's "for this time only," and make a record of it. This is the type of action that can inspire customer loyalty. If you want to keep customers, you need to find some ways to differentiate yourself from all your competitors. Since you're keeping records, you should be able to tell if a customer is just trying to abuse your policies.
You need to ask yourself- how much did the excess bandwidth really cost, and how much is this customer worth to me in the long run? Probably, keeping that customer will make far more impact on your company in the long term than if you charged them, pissed them off, and inspired them to switch to another ISP.
I work for a small local ISP, before making any decisions we always look at it historically using MRTG. If the customer all of a sudden starts spiking up from their normal amount of traffic, then we will let it slide at first. We will warn them that they may need to check to see if there are any updates for their computers that can help. Also we tell them what to check for regarding P2P programs on computers that they may not know about. If it continues then we are justified in charging them more, because they didn't heed our warnings the first time. Most of the time the customers computer(s) are at fault for the bursts that are coming on their connection. Don't know if this helps in your case, but it seems to work well for us.
In the scenario where the ISP eats the bill, it is now taking the responsibility for people not keeping their software up-to-date. I think that's a bad idea. People need an incentive to apply patches. Slamming them with a bill for the problems they caused by not patching is one way to get the message out.
This will also help push the liability "down" to where it belongs. Pushing it down to the (ISP) customer will force the customer to put pressure on the software writers to take liability for bad code. But saying that an ISP must let its users off-the-hook won't get to the source of the problem.
If an ISP wants to start pushing for software writer liability, it will need its customers backing it up saying, "I was running software X and it caused this financial burden." But the ISP customer has no incentive to do that because it isn't seeing any financial hardship. So the legal process on the ISP would involve lots of annoying subpoenas, and evidence from people that don't want to be there...never a good thing.
Keep It Simple, Silly, is the phrase here, I think. It sounds evil for the end customer to be left with the burden, but at the end of the day that is how things are supposed to work.
The Right Reverend K. Reid Wightman,
The problem with billing for excessive inbound traffic is that the user has absolutely no control over what they receive.
You can have the most sophisticated firewall on the planet, but due the immutable laws of IPv4 you can NOT drop a packet until you see the packet. At which point you've already used the bandwidth (and incurred the cost) required to transport the packet that you're just going to drop.
This has nothing to do with patching your server. If you don't patch your server, and you get hit with a worm, and your box starts consuming huge amounts of bandwidth to attack other hosts, then it's your fault, and its OUTBOUND traffic, and you absolutely should pay for it. But having your server patched does not stop you from receiving inbound packets. They may not harm your server when they get to it, but you already paid for the transit.
BTW, This is why it's illegal for a telemarketer to call you on your cell phone. Because in theory you had to answer the call (and incur expense) BEFORE you knew who was on the other end.
This is a similar issue, except that we're not talking about telemarketers... which are businesses that more or less follow the rules. We're talking about script kiddies that don't care about the rules. Or in a worse case, we're talking about a competitor, or enemy, or rival that just wants to DOS you for a month until you go out of business because of all the excess bandwidth charges you're paying!
The technology limits the liability of the consumer. The ISP must take some responsibility here and put systems in place that protect the consumer.
-JE
With the cost of bandwidth now becoming cost like electricty or gas. the Internet needs bandwidth efficiency goals.
If you had a webpage that had around 200kb of content and the cost of bandwidth was 5 cents/mb, then being slashdotted by 100000 vistors would cost $40!
But if you optimised your webpage to around 100kb, your cost would be only $20.
When you anaylse bandwidth usage, you see how inefficent the internet really is, and you should squeeze every last byte of efficenty to save costs
IMHO, what he/she (and anyone else in this situation) should do is updated their AUP and TOS etc and basically have them all say:
I agree with many of the arguments made, but he is providing a service, a service that the users do not have to use. I say impliment policies such as the above, and then let the users decide if they want to stay on with them or not.
RonB
It is human nature to take shortcuts in thinking.
what's next? customers complaining when they get slashdotted and asking the isp to reduce the bill?
Slashdot effect: the isp killer.
Everybody has a purpose in life, maybe mine is to lurk in slashdot.
But dont most ISPs pay a fixed rate for an X sized trunk? So, then, don't bandwidth spikes cause an overall degredation in service but not an additional charge to the ISP's?
I'm all for charging everyone who was infected, but if a system recieves an unrequested DOSsing due to wormies, I don't see how charging the recipients for would help alleviate that service drop. And unless my grasp of ISP metrics is totally off (possible), how did this spike cost the ISP any actual money?
Morally speaking, the recipient is not responsible for traffic spikes that couldn't reasonably be expected. That is the responsibility of those people who don't patch their systems, who create insecure systems, and who write the viruses in the first place. If you want a real-world analogy, a manufacturer can be sued if it creates an unsafe product that catches fire and burns down your house, but no one would hold the neighbor morally responsible as a cost of putting it on the common if that fire then spread to their house. Or, as a less forced example, no cop would give you a citation for having a broken taillight if it was because a random stranger smashed your car with a baseball bat. In the later example, the owner of the car does need to repair it as the smasher cannot be found, but as I mentioned unless there is actual financial reparations to be made by the ISP I fail to see how this is more than a ticket.
Of course, all packets have a Syn / ACK, so tracking down the person who is responsible is possible...
The ______ Agenda
It all depends, what if the customer has his/her pages on an ISP server and the server is the cause of the problem, they forgot to pacth the sql server that they provide on the server or some item relating to faulty administration. Why should a customer be stuck with this bill? Or some ip is nailing the server and the ISP does not provide a way for the customer to deny the traffic. Customer should have every right to say that they don't want any worm traffic hitting the server and ISP should provide those tools or services to do so. If the customer is colo'ing a box then I would say its customers responsibility for everything, but when it comes hosting your site on an ISP server, it ISPs job as service provider.
Have you ever been to a turkish prison?
Each induvidual ISP is going to have to come up with some scheme for paying the bandwidth bills.
Thankfully, it isn't some abstract concept like bandwidth "utility" that is difficult to quantify and price; every month an ISP has to pay X amount of dollars for their infrastructure. However they see fit to pay that money is really up to them. There are numerous ways, of course.
The best possible situation would be every ISP trying a diverse set of payment structures. Through the magic of capitalism, consumers will eventually migrate to those ISPs who've created the most fair and efficient pricing scheme. Although, history (or maybe, Microsoft) has shown that being the most fair and efficient isn't a prerequisite for financial success.
for great justice, this sig has been moved
I work for company that writes Utility Billing Software.. from the way that we see it... there's fixed and variable pricing.. make a cost benefit analysis and figure out where the break should be for people to have a fixed fee versus variable.. in events such as the slammer virus.. treat it like a water main break and eat the cost.. it's like telling someone it's there fault they drive a car, that it got broken in to.. if the bandwidth is directly attributed to a situation that is out of the users control, then don't charge them for it.. but if they don't patch up once a patch becomes available (this should also mean that you, the ISP, has the patches readily available so there is no excuse by the user for not doing it), then those later fees should be attributed to the customer..
Look, I know that you're angry at Ronald McDonald for taking your Virginity, but keep the anger to yourself, ok?
I know that some of you would balk at the thought of this, but would insurance be a possible solution? Customers could pay some fee (depending on certain factors...there are rating engines for doing just this) and could make claims for DOS, spam, and other abuse. Are there companies out there that can insure this sort of thing?
If someone initiates a DOS attach on my server and I get charged for the bill and I can prove who did it, can I sue them and recover my costs from them? Should the law allow this?
It should be obvious here -- if the customer has malicious code on their machines that generates bandwidth, all because the customer didn't (patch|secure their machines|perform generally accepted security practices|etc...), the customer should definitely eat the costs. On the other hand, if there is a worm loose on the net and the customer /HAS/ done all of the above, then if a loss in bandwidth is seen, the provider should eat the costs.
How does it really work? Customers b1tch constantly regardless of fault, and providers refuse to give a credit. Lovely, isn't it?
If I were the customer and got charged out the ass because of a worm that had nothing to do with my site (I wasn't infected), I'd be pissed and take my business elsewhere in a heartbeat. So it's all a matter of weighing the potential future revenue by keeping the customer happy against the quick one-time revenue of billing for huge random un-preventable spikes.
I thought many bandwidth providers had moved to a 95th percentile model to bill for bandwidth. Ignore the top 5% of the usage samples for this month and bill at the customer's 95% usage. This means that any sudden spike doesn't count against your bandwidth. Lots of spikes, or a spike that is not handled within a day moves the 95th percentile way up.
Our upstreams bill us this way, and all of our burstable downstream customers are billed this way. It works well that way.
multi tier pricing based on expected usage and unexpected usage. Seems like you should have a mechanism in place to deal with this sort of thing. You have a customer who's normal traffic is x. All of a sudden they are getting pretty severe traffic like x times 5 or something that makes it look like they are going to max out their alottment with most of the month left to go. If it was ME as the customer,knowing I was going to get hit with a huge and unexpected bill, I would think it *nifty* if you either throttled it back or even shut connections off until the customer was notified or a better analysis was obtained of what was going on. And you can offer both, one way the customer knows they are liable for their bandwith, period, their decision to make, they will chance it and they want their site UP no matter what. Swell.. Another plan, they agree in advance for you to take action on their part if something goes real screwy and they are getting DOSed or whatever. Seems fair enough and easy enough to have that in a written contract.
I went through something like this with a roomate and long distance bills. The roomates friend came to visit, stayed a week. My bill was literally 10 times larger than normal at the end of the month,500 something as opposed to a more normal 40 to 50$, the so called friend of the roomate had split well before the bill came in and disappeared, no one but ME to pay the bill, the other roomate didn't care, said "too bad, not my fault, I didn't do it", and no arguing with the phone company over it. I SURE would have liked to have had the option with the phone company (and if I had thought to ask obviously) that if all of a sudden the bill was going through the roof that a courtesy call was dropped to the home verifying this huge jump in traffic. Something like that anyway, a cap of sorts. I could have nipped it in the bud before it became outrageous.
And no, it wasn't any phone nookie 900 #'s, this person thought they were some kind of business typhoon and just made calls all over heck just constantly when no one was around trying to set up of all things "music business deals" I found out later adfter I just called a few of the listed long distance charges #'s up to see WHAT all the calls were about. Needless to say I soon thereafter stopped having those sorts of roommates and so called "friends".
as long as this is under debate, meaning that there are isps that will compensate for undesired bandwidth spkies, customers will find as they offer better competition than the ones that don't.
so it all depends on how much a satisfied customer is worth to you. would you rather give them free bandwidth (for honest mistakes) or would you rather lose their business?
for example:
you buy a tray of food at a food court, you trip and throw it all over the place making it uneatable, YOU pay for it.
or
you buy a playstation 2, but when you bring it home and plug it in, it doesn't work. you bring it back to the store and get a new one paid for by sony. somebody ELSE pays for it.
once it becomes a standard practise, to excuse unintentional bandwidth spikes or not, your question will be answered. the standards are different for every type of service.
My ISP (and this is dialup - bleh) recently sent me a letter informing me the I was one of their "Top 50 users," I was hoping to win a prize but they just wanted to double my access fee. Funny I thought, when I signed up it said unlimited access- so I called and discussed what unlimited means. Apparently it unlimited means with bounds and constraints (I kept thinking to myself, this is 56k dialup it's lot like you can really consume too much bandwidth). If I wanted (yes this is really a quote) "Really Unlimited Access" I'd just have to pay twice the access fees, then the Top 50 letters would go away and everything would be happy again (After all prolonged dialup can ruin their equipment?). 'Course all of their advertising says Unlimited 56k Dialup for just $9.95. Well I canceled service today and am moving on. The ISP is http://www.inreach.com/ check out their page and see what you would expect.
MightyCookieface
Who is this "Poster" guy and why does he own all of my comments?!?
Hey,
I wouldn't pay. I would sue the spammers.
Since the internet is public you should not have to
pay for a burstable server. seek a flat rate.
Also sue the spammers. sue the portscanners.
Come on, its not the bandwidth that is expensive its the hardward and maintance. It only costs penneys to run the electricity on the routers, hubs and bridges. These prices based on bandwidth are just artifical prices like long distance rates. The company that owns and maintains the fiber should have a fixed price to maintain it.
I have delt with this situation before.
I don't mind being charged for everything that comes down the line, as long as I can make a phone call, or log onto a website, and get something blocked at the ISP's side of the link.
I've been DOS'd before because someone wanted my nickname on IRC -- stupid reason, yes, but why should I eat that DOS, when I called my ISP and asked them to specifically block XYZ kind of traffic, and they did not have anyone with enough knowhow to do it.
If they provide a blocking facility, sure, I'll pay for it all.
A class action lawsuit directed at all window (as in for houses, cars, etc.) manufacturers on behalf of all the individuals who have had home or vehicle broken into and lost goods due to security holes in windows.
A modern day witchhunt.
unfortunately, there would have to be proof of malicious intent, or at LEAST a reasonable knowledge taht linking to the page would cause the business to lose money. /. would have a reasonable knowledge taht linking to the page will cause the page to load slowly, they don't know what sort of connection the page is on, nor is it their responsibility to find out.
While
The day anybody becomes liable for linking to a page on the internet will be the end of the world wide web...that's the whole premise of the thing...
The only thing I can think of is something similar to the robots.txt file...have your webserver have a slashdot.txt file that says something like NoSlashdotLinkage = true in it or something, anything similar to the thing for preventing search engines.
//FIXME: Bad
This is why we don't offer burstable connections.
You pay for capped bandwidth, and your bill never changes.
Andy
OK I work with routers all the time in general you allways pay on PtP circuts and burstables. Hosted envirnments with IDS's in place etc etc it's up to them as they claim to have protection in place. Now with this being said 95th percentile billing gives you 36 hours to deal with the problem before it's on your bill during that time you need to be proactive. Slammer is a special case as most sencible ISP's turned off that port period as it's affected there routers as well (that nasty netflow bug in the GSR oversubscribed GigE cards) 5 of the ISP's that I consulat at still have the port blocked in general with openings on a request only basis.
No sir I dont like it.
Lets say that you piss off the hole town, and everyone comes by and eggs your house. Who gets to clean it all up. You do, unless you have insurance that covers this sort of thing.
Maybe it's about time for insurance companies to start looking into this sort of thing. A webserver is a phisical item just like building and company cars. Maybe they should have insurance to protect themselves from the general public just like everything else.
Being called a dork on Slashdot must be like being called the retard in special ed.
If a phreaker biege boxes your home phone and runs up a huge bill who eats that cost?
The answer should equate to who should eat the cost of a DoS trojon.
Part of the problem is that consumers expect this sort of insurance to be included in the cost, much like a credit card.
An ISP may only have a responsibility to provide bandwidth, but they also should not be the cause of problems for their users. While it may not be feasible to protect their network by acting effectively to block worms and virus's, it is certainly possible for them to organize class action suits against various people who are responsible for the problem.
If the problem is that a piece of software is improperly configured and is causing a problem, the user of the software should be liable for traffic. The ISP should help their users effectively collect penalties from such users.
If the problem is a flaw in software, then the maker of the software should be held liable unless they have proven responsible action (such as contacting all their registered users with information about the vulnerability and solutions to it), in which case the user of the malignant software is at fault.
In any case, an ISP can state that a user is responsible for all the traffic they get, whether they want or even use that traffic, but then they have to provide better traffic shaping, and the costs of that will increase the user costs, although the bandwidth will certainly be more valuable. Imagine being able to enter in that you don't want traffic from a certain ip, or a certain port, and instead of that getting blocked at your door, have it blocked at the ISP's door. Or even have it blocked right at the senders door.
I guess it is a question of balance. If bandwidth is really cheap then an ISP can afford to let it be entirely open. If it is really expensive, then technology needs to be developed to restrict use of bandwidth to what is appropriate. QOS on an internet wide scale...
In any case, I would say that a provider who really wants to keep customers will seek to punish the people causing their bandwidth problems rather than users who do their part to reduce the problems with worms, viruses and otherwise.
Every time one of these "what do you Slashdotters think?" posts comes out I cringe. I cringe because the average Slashdotter's desire to state an ill-formed opinion is already well past Guassian proportions before it was invited.
I therefore declare that all such 'what do you Slashdotters think" be modded down ipso facto as redundant.
My
Limekiller
Microsoft's insecure software has allowed worms to overly use bandwidth by ddossing servers. They should have to mop up the mess by compensating users for their software flaws.
Open source software liabilty is a legal mess, because if some open source software is flawed, there is no single entity to blame because of the distributed nature of the internet.
The RIAA/MPAA should stop complaining about piracy and help set up more legimate services. The p2p software is a pure bandwidth hog, and with legal alternatives bandwidth would drop.
Perhaps ISP's can include an Act of Man clause similar to an Act of God. When tragedy strikes and service(s) are down it's expected that the ISP will do everything it can to rememdy the situation. The ISP is not responsible for the customers portion of the problem however. Therefore, if an Act of Man (mailicous code) causes unecessary spikes for incoming traffic the ISp is responsible for stopping it on their networks as best possible and alerting the customers that unless they do something about it they will be charged. "Doing something about it" includes maintaining logs that can be used to prove the customer did NOT incur those spikes and therefore will NOT be responsible for the bill. This can be handed upward as well. For example, if Joe Customer uses Public Internet Access (PIA) as an ISP and PIA uses Qwest, SWB, AT&T, UUNET, or some other backbone provider ultimately the backbone provider eats the costs. This is unfortunate but like an Act of God no ones true responsibility. If the backbone provider has enough evidence to point at a person or group for the malicious code causing serious downtimes and outages then by all means, customers support your backbone provider in court and pay some of the bill to help further ensure that malicious coders will be prosecuted. As for me I'd hate to eat those costs but if I signed as SLA that I didn't like it's partially my fault.
Rivendahl
... there is nothing that has not already been thought
One of the few slashdot stories without a link ;)
I feel this is an excellent time to discuss SLASHDOT'S moral obligations in linking. Certainly some shops can handle the amount of traffic that is sent their way by getting posted here, but in other cases the server gets hosed, the bandwidth bill goes through the roof, or worse! (remember the guy with the barcode entry system to his house?)
C'mon editors! At least make it so the front page links link to cached text copies sans images or something.
Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.
Good idea but it doesn't quite go far enough.
You should be billed for the traffic you CAUSE or SOLICIT, and thus have control over. Much of internet traffic is things like web browsing, which invovles a small request soliciting a large reply. If you suck down 60 megabytes of web porn, MP3s, or ftp downloads, it's your bill. Similarly if you host a server, which accepts little requests and pours out data, it's your bill.
But if somebody starts sending you unsolicited packets, that's like somebody making nuisance calls or pages. (You will notice that pagers, at least, are generally NOT billed by the page. They tried that, and the customers rebelled because they had no way to block idiots with autodialers.)
So something with a little deeper visibility is in order. Here's a fair approach:
TCP: You get billed if you make, attempt to make, or accept, a connection. You don't get billed for attempted connections you refuse or that don't get completed (i.e. SYN and other DOS attacks).
UDP: You get billed for outgoing UDP packets. If the billing machine is sufficiently stateful, you might also be billed for incoming UDP packets that ARE replies to a recent outgoing UDP request using a well-known UDP request/reply protocol. (This would prevent cheating but still protect you against getting billed for both DOS attacks and forged-reply billing attacks.)
ICMP: All are free except outgoing EHCO REQUEST (ping), because they're a mandated part of the network overhead. (You don't want to bill inbound ECHO REPLIES to prevent billing for forged reply attacks. But you might bill ECHO REQUEST as if it went both inbound and outbound, to cover the expected ECHO REPLY without making the billing machine stateful about ping "connections".)
That should pretty much cover it. Customers would:
- be fairly billed for the bandwidth they used, caused to be used, or allowed to be used,
- not be billed for unsolicited "phone calls", DoS attacks, or mandated network overhed, and
- have a strong financial incentive to keep their system secured against crackers and malware (such as viruses and worms).
And installing a get-around-the-billing hack (like PPP-over-ECHOREPLY) would be a violation of terms-of-service and cause for disconnection - or changing the billing of that customer back to "all bandwidth co$t$" B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
1) Have users pay for a certain amount of bandwidth and when that's exceeded, they lose service temporarily. E.g., if I'm paying for 1GB per day but I go over that, for any reason, I'll lose service for part of the day --- but that's better than being socked with a huge unexpected bill. This works for incoming and outgoing traffic. It protects the ISP and the customer.
2) A nice technical feature would be to be able to push packet filters from the customer to the ISP without human intervention. After all, if the ISP's router is going to forward a packet P to next-hop X, then it may as well obey filtering instructions from X for packet P, since if it doesn't X can just drop P. This can be extended many hops into the network. This only protects against incoming traffic.
Sure, this could ignite a thread about [insert software vender of your choice] and their hole-filled software with respect to how fast service patches come out, but it's not meant to. It's about the reality of technology and the responsibility that goes along with it. You want the privilage of live internet? I think you need to know the basics of networking and security first, because it's a public forum and what you do has an impact on others. Don't want to step up? I've got an AOL CD with your name on it.
The security of my computer (and therefore, my bandwidth) is my responsibility. The physical security of my house is my responsibility. What about my car at the parking lot? Most places say they're not liable. So...I take the responsibility of making sure my doors are locked (and taking the risk of an actual glass-break-in) if I want to shop at [department store]. Being live on the internet isn't much different. You're still traversing among the public, only now the population is MUCH bigger. As soon as I stick my Cat5 in the wall, security IS my responsibility. I don't buy the stance of "it's Microsoft's fault my box is insecure, and there was no patch." We're all adults. You run what you choose on your equipment, and that's your decision. My ISP runs wide open, and they make it known that there isn't any filtering and firewalling going on. They like to deal with the computer savy customer and encourage the use of a non-windows machine for your firewall, and have free classes on how to set it up. If my WinNetOpenBeOSFreeBSDLinuxBox gets hacked and there's a patch or a config file that I neglected to update/change/whatever, isn't it my responsibility? I think so... You take your lumps, learn, and do better next time. The internet, like the circus, is a place where the smart get sifted from the ignorant, and usually the ignorant get parted with their money. Pay your nickel (ie. know your network), ride the ride...otherwise, you're in Soviet Russia....
-- I'd say your post was about 3 monkeys, 18 minutes.
What you may be interested in is where you stand legally. A RAND study made during the middle eighties (obviously not internet related) covering similar thefts returned the following conclusion.
In the case where the theft occured (mutually) from both a commercial and private victim, the commercial victim is generally assigned the majority of the loss because they are considered to have superior knowledge and been in a better position to have prevented the theft from taking place.
Since the theft was allowed by two enteties (the target Computer and the ISP servers that allowed the theft to take place), both entities would probably be apportioned a percentage of the cost.
Since this has never gone to court, there is no case material to set some form of guidelines.
My guess is that apportioning the entire blame to the customer (and billing them) would not hold up if the customer filed against you.
Depending on what measures your ISP has taken to prevent this type of abuse (filters, scanning, etc.) you could probably get away with some form of apportionment where the customer is billed for part of the cost.
Tom
A>
So I have something that answers to an ip address. What's bandwidth? If someone's hammering me with any kind of packet, it doesn't matter what I do with my networking layer, it's already been sent to me by the ISP and therefore counts as bandwidth? If so, I'm completely at the mercy of literally anyone on the internet (my ISP included, if they so desire to ramp my fees) who wants to spew whatever they want at me, despite the fact that I don't even look at the traffic, and I have to pay for that incoming bandwidth?
IANAL, but I woudl think charges resulting for an attack would be pretty easy to dispute in civil court. Unfortunately, you're probably always losing the potential to use some bandwidth because of various attacks, spam included.
- Charge a fixed amount to cover fixed costs, plus a metered rate for all traffic between me (or a proxy (see below) acting on my behalf) and their external interface(s).
- Provide access to a web caching proxy, a DNS resolver, and a NNTP server. (And maybe some other things in that spirit? If the users use "P2P" software, the ISP should run some sort of cache for it.) Also, hopefully, a local (shared by the ISP's customers, but not with the internet at large) mirror for whatever is popular+large (e.g. Gentoo portage). The idea is that lots of users end up transferring big things only once, and split the bill. (I guess the first guy to ask for something ends up paying. Oh well, he won't always be first; it'll work out.)
- Have a way (probably a web page) for me to see how much traffic I've used, preferably with some detail that I can use (see firewall, below).
- A packet-filtering firewall (at the ISP, not at my house) that I can configure to reject things before they cost me money or saturate my link to the ISP.
- Let me run whatever services I want, since I'm paying for it.
That would be almost perfect. There are still some kinds of abuses not initiated by me, though, that could get through a packet filtering firewall. But it would still rock.Of if you wanna get really fancy, have proxies split up a bill among all those who download something through it. Great incentive to use the proxy. Everybody wins except advertisers, which is how it should be. Fuck, install ad filters on the proxies too.
Big attacks should be reported to Homeland Security. (Really. Effective March 1, Homeland Security runs the National Infrastructure Protection Center. ISPs are going to be dealing with them on a regular basis.)
ISP's should eat the costs.... If you provide me with a service that claims to provide me with a certain bandwidth.... then that is what i get.
Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault.
If you decide to enforce a D/L cap, i myself will not be your customer....
If i was the average joe who opted to take on that bandwidth cost then i would blame YOU the ISP for allowing malicous data to be replicated at obvious expense.... as in if a port is responsible for great amounts of malicous (repetitive, near obvious redundant packet exchanges indicitive of an attack, worm, or virus).
The whole thing is, as an isp... the service you provide should be a fully enclosed package... no hidden/additional costs. And bandwidth capping should not incur automatic additonal costs to the consumer after a limit is reached, it should result in a great limiting of bandwidth (after a certain amount is reached) or in a blocked connection (allow only the company's IP until the customer buys more bandwidth).
My personal opinion, we are getting dicked by the tele-comunications industry from the top down... everything from home phones, cable, cell phones, broadband, T1's and more are greviously over-priced at a near basement cost to the mother companies. By the time a consumer recieves their data the fixed price of hardware and the cost of ELECTRICTY has been multiplied ten-fold. Mid-Range ISP's are being squeezed by the big players, and in turn are having to offer misleadingly high "bandwidth" speeds with BullShit Capping.
Downloading megabytes into your cell-phone doesnt cost sprint shit, but youll have to pay 1.00 per DL.
Of course the tel-co's are screaming bloody murder about their losses, but it isn't from data rates.
As a last note.... when we were all using 56kbps modems you could DL for days on end... you could call your local BBS and be charged a phone call while DLing full-speed for hours.... No extra cost... didn't cost them a thing since we payed for the phone-call.... Now that High-Speed is in the home.... and the tel-co's found they could save even more money by offering bandwidth speeds based on diluted averages of many users, they think it's fair to make more money by punishing those who ACTUALY USE THEIR bandwidth. Bandwidth which is only ELECTRICTY. Do you honestly think Time warner can offer 500 channels of digital cable, with "on demand" channels (where you can choose a movie and play it immedietly) for 60$ bucks a month and not provide that same (nearly continuous) data rate to internet connections?
luckily.... with the advent of online movies, music and application servers and such, soon even joe email will be needing a constant high-speed connection.
Just my two cents.... VISION
--Enter The Sig--
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
Suppose you live on a crosspoint of several countries. Your house happens to be located in a dangerous curve on the road. Also for some reason your house looks to some kiddies like it asks to be vandalized.
For these reasons you get a lot of breakin attempts, occasionally a truck crashes through your walls. All this is not only by people from your own country, but from neighbouring countries as well.
You install warning lights and other measures so cars and trucks don't come in crashing. You call the police when kiddies vandalize your home, but they says they can't do anything.
All this costs you a lot of money and headaches.
In real life there are several ways to defend yourself:
Now apply these principles to your hosting server.
Suppose your house is rented. Is the person renting you the house responsible for every breach? Did he warn you before you signed the contract? Is it his responsability to call you every time some vandals are passing on the road? Or some truck may crash into your home?
Of course your ISP can warn you for every threat that may be coming, but what if there's no warning time? Or he misses a small thing that happens to affect your server bigtime? Is the ISP really responsible?
Be careful out there...
I would go so far as to suggest compromise, if there is a means of calculating generally the bandwidth consumed by the badness. It is true that the customer must maintain and patch his server, but, at the same time, customers often rely on firewalls at the ISP to protect them from errant nonsense, and many exploits can be blocked at routers or firewalls.
As the customer does still bear some of the cost, there remains the incentive to close the holes, and there is also an opportunity for the ISP to earn some consulting money in providing the service of patching and locking down the system, if they can sell that service to the client.
And you'd get cut off and be in court for not paying your bill.
Carpe Deez
We're talking about inbound spikes, over which the customer has no control. They could have a rock solid system with every patch that's ever been invented on it, and it would make no difference.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
ISP A has customer X. ISP B has malicious user Y. Malicious user Y sends huge quantities of packets to user X.
The question seems to be, should ISP A eat the cost, or should customer X eat it? Why the hell are those the only two options?! It seems to me like ISP *B* should eat the cost, since the malicious packets were sent through their network in the first place. ISP B can attempt to recover their loss directly from malicious user Y.
The ISP *and* the customer are both victims in a DOS attack. Whoever runs the network which *initiated* the attack should be responsible.
Perhaps what is needed is a 'circuit breaker'. If a bandwith/second is exceeded, or perhaps exceeded for a period of time, then break connection to the net for five minutes.
First, the client has no control over the virus going around, giving them craploads of incoming data. The ISP ought to filter port 1341 (or whatever it was), and then have customers notify them if they need that port opened up. I figure you prolly dont need MS SQL outside of your internal network, so blocking the port at the ISP's level not only sends that data to /dev/null, as well as making the customer more secure.
The Doormat
If you're not outraged, then you're not paying attention.
...that lets them set an incoming bandwith alarm level and also allows them to post an inbound ip block on traffic headed for their network.
This gives them the information and the tools they need to manage the problem.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
I hear a lot about burstable bandwidth. Thats what I don't understand. It seems to me that, since the expense in bandwidth isn't how much of it's being used, neither should the cost. If people bought 384kb up/down, then things like this wouldn't be a problem. Maybe someone can explain to me why I'm wrong...
You could charge for spike "insurance" as an additional fee, that would be smaller than the cost of paying for the cost of an actual bandwidth spike.
This might look like extortion, but you could work out ways it wouldn't. For example, you could offer 3 choices:
1) customers pays for all the bandwith as usual.
2) customer pays regular flat fee plus small addendum as insurance for major traffic spikes (hire a statistician to get this to work out just barely in ISP's favor over time, and be honest about the process)
3) customer pays regular flat monthly fee and gets shut down upon hitting bandwidth threshold. With permission from customer, site can be restored at regular cost for additional bandwidth.
I think if you were really honest about how you came up with the cost of the insurance, customers would like it. For a lot of people, it's easier to pay $100/month for 12 months ($1200), than it is to pay $80/month for 11 months plus $300 for one month ($1180). Just because you can plan ahead, even if it costs more.
I've personally been burned by this. I had a spare box at my colo that I had completely forgotten about and it got nailed by a worm last fall.
My utilization was 100x normal and I wasn't notified of the problem. I was pretty pissed off when I got the bandwidth bill.
If you're going to charge your customers for these spikes, then you owe it to them to report anonmalous bandwidth usage on their machines.
Furthermore, FUCK SPIKE-BASED BILLING. As far as I'm concerned, its fraud to bill someone $1000 just because they were pushing 10Mbit for an hour.
Bill based on average utilization or actual bytes transferred.
Under criminal and most other law, the criminal becomes liable for both direct and indirect damages. As an example, if a gang robs a bank and a gang member gets shot by a clerk, the gang leader is charged with homicide/murder/manslaughter, as appropriate. In this case, the spammer, worm originator, or other attacker should similarly be held liable for direct and indirect damages -- meaning everything from bandwidth to cleanup.
IPv6 allows many security features, including authentication and nonrepudiation. An ISP (or anyone for that matter) can easily use their logs to verify that packets are from a particular source. By rejecting all packets unless traceable, and then keeping the traces around, the responsible party can be easily found by talking to everyone along the chain until someone either has no logs or originated the attack.
Once you've found the person, simply either eat the cost as is done now (if they are a little person infected with a worm/virus but don't have logs), OR try to get money from them and blacklist from future systems (if they are a real criminal).
Something I would LOVE to see is a system that holds everyone responsible. An Internet where to get an address block you sign away certain rights. You would assert that you will either keep logs of all activities or pay for any damages [see above]. When any software is released for use on this new network, the software company would be held liable for damage done by their software [see Outlook worms]. Any software using the network would have to properly record all network transactions thorugh cryptographicly secure undeniable means. Lastly, all commercial communication, unless specific one-to-one talking or client/server requests like the web, would be strictly forbidden, again with damages paid [no spam]. That is my Dream Internet.
frob.
//TODO: Think of witty sig statement
I don't think using more a less bandwidth makes a difference in the costs for the provider of said bandwidth? They only had the costs once, when laying down the cables, satellite links, whatever? So somewhere down the food chain, there is somebody who doesn't have increased costs by increased bandwidth usage? It would be fair if said party would decide to not charge for abused bandwidth (or whatever to call it). Although I must admit that perhaps things can get more complicated. Ie if the provider has guaranteed a certain bandwidth to another party and that party charges the provider for not delivering. Ultimately I guess it's in the interest of the provider not to charge for abusive traffice, because they want to give their customers a limited risk. They'll be much more likely to sign up with them that way.
You can then turn around and sue the person who caused the damage.
The ISP cannot decide in many cases if the extra bandwidth usage is legit or not, so has no business cutting your line.
When I signed up for cable modem access it was for _unlimited_ access at a flat rate. Later on my ISP capped my upstream and then my downstream.
I was a little disgruntled as this didn't seem like _unlimited_ access to me. However, I am a realist and I know that in order to profit my ISP has to stretch the bandwidth to accommodate a minimum number of customers. So as long as they tell me what the upload and download caps are and how much it will cost to run _unlimited_ at those speeds, I'm okay with it.
I would NOT be okay knowing that there is some byte limit that, if exceeded, could through me into bankruptcy. I am old enough to remember the days of 12.00 per hour and bills that rivaled my house payment. No thanks, I don't need the internet that bad!
The race isn't always to the swift... but that's the way to bet!
Sure. And what about the time someone who doesn't like me sets up a massive attack that spikes at gigabytes of inbound bandwidth within minutes, and over which I have absolutely no control?
You are asking the customer to write you a blank cheque for something about which he can do nothing, no matter how prepared he may be. That is unreasonable, pure and simple.
You, however, can do something about it. As you pointed out yourself:
So what's wrong with applying the same principle to your customers? If it's a massive spam attack, you guys have far more resources to detect and deal with it than most of your customers do.
You want the argument to hold from both sides, as long as you're on the winning end of each. That's a great goal from a business standpoint, but it's still not going to win you any awards for logic and finding a solution that is fair to all involved.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
... That the previous article about Variable Bandwidth Charges (which will invariably draw rantings and ravings about "It's my pipe, I'll decide how to smoke it!") immediately precedes this article (which has a lot of people ranting about "How dare they smoke my pipe; send the bill to them!").
I expect that tomorrow's stories will include a security hole in Linux and another report of Microsoft claiming that Windows is secure.
Now the question is, who's behind all of this? Is the UN trying to get back at all of the megalomanical geeks who have ever said "Well if I ran the world, I'd get things done!"?
-- Kaze (notes that it was Charles DeGaul who said "Who can possibly rule a nation with 240 different kinds of cheese?" -- and now we've got OS distros to contend with!)
If the burden of responsibilty is placed on the ISP the sooner action will be taken to stop illegal/malicious use of bandwidth. Face it, the average user or small company has little recourse due to time, resources and money against stopping a single rate spike instance. For the end user it is cheaper to pay for it than fight.
The ISP on the other hand has the ability to track all activity, even identify systems that have usurped. If they have to pay for the bandwidth they will stop it. If they end up disconnecting users whose computers are virused, subeverted, backdoored or causing the problem, the sooner those systems get fixed. The cost for this is minimal and isn't really paid for by the ISP, they pass the cost onto us.
Just as in the medical world, epidemics are prevented by early identification of the problems. ISPs are in the unique position to do this on the Internet. Or should we just let the FBI do it?
Since 99.99% of all virus/trojan/worm attacks are the result of Microsoft's piss-poor security, I say charge the extra bandwith spikes due to something like this back to Microsoft!
No matter where you go... there you are.
Argument extends ParentPost //assuming ISP A and user X exist in USA
{
ISP B = new ISP(ISP_in_RUSSIA);
User Y = new User(I_don't_give_a_rip-Spammer);
Screw(A, X);
}
robi
My request for the 2MB MP3 download is only 4K. I send 4K and receive 2MB. What happens if the DOS attach occurs because someone is repeatedly asking for a large file from the the person getting hacked?
The real issue is intent. How much traffic is hitting a user that the user did not intend to send or receive?
The only way to figure out the user's intent is to play it by ear.
The other issue is neglect. Was there neglect on the part of the DOS victim?
Clearly a system wide DOS attack (like the one that will occur when Bush starts his war) were not intended by the people being attacked. If the spike was clearly launched by a malevolent third party, then the ISP is probably in a better position to eat the expense.
The problem with charging a third party attack through to the victim is that it makes the targetted attack a success?
If you are an ISP and are only supplying the Internet Connection and I am supplying the system, then it is my responsibility to administer the system, keeping it up to date, monitoring my bandwidth usage. And if my system starts to eat up too much of your bandwidth, it is my responsibility to accept the charges associated with the extra bandwidth or to disconnect my system from the pipe.
If you are a hosting company and you are supplying the bandwidth and the server, and I am only renting space on your server, then it is your responsibility to make sure that your system is up to date and secure. In this case any bandwidth usage that is not directly linked to my site, such as a virus or DoS attack, is your responsibility. My site didn't generate the bandwidth usage, it's not my responsibility to compensate you.
If an ISP advertises UNLIMITED, ALWAYS ON INTERNET then that ISP must deliver said service. The customer should not, and can not, be charged for "excessive" or "malicious" traffic. If an ISP wants to sell prorated internet, then advertise it! Unlimited means unlimited.
And in a colocation situation, I'd hold your equipment pending settlement.
Pull my finger for my public key.
No law against this. It like me providing you with a doorbell service. If I want more money, I just keep pushing the button. If you were dumb enough to sign up for this then you'd better trust me.
Clickety Click
One way or another...
Oh yes, he will pay.
Build stuff. Stuff that walks, stuff that rolls, whatever.
Such a setup would allow for full utilitization of the network bandwidth and avoid all the hassle of pissing people off by sending them extra bills or suspending their account.
I don't care if it's 90,000 hectares. That lake was not my doing.
I have been designing and operating large service provider networks for nearly ten years. This topic has been fiercely debated among my peers, so for further background I recommend that you check the mailing list archives at http://www.nanog.org.
For flooding attacks and mass vulnerabilities, there is no doubt in my mind that this is the responsibility of the service provider. In fact, if service providers would cooperate by implementing sound routing policy, most of the flooding attacks on the internet would be eliminated as a whole. Its simple: Do not forward a packet originating in your AS unless said packet is from your address space. The customer *already* pays for the ability to burst, hence 95th percentile billing.
As for other attacks, I think that compromised hosts on a customers network are the customers responsibility. Get owned, and pay the bill. Service providers have no business dictating customer security policy if the internet is to remain an open medium.
The ISP is charged by its provider for the bandwidth, and if the ISP suddenly has massive bandwidth utilisation during a month, and they have to pay extra, then it's understandable that they should pass the cost down to the customer.
.5Mb/s on *this* pipe .. " that they dish out to clients. It actually would get charged if it goes over "300Mb/s" on their providing line(s). (I could be wrong on this - perhaps most of the middle to big sized ISPs/Colos just have to pay a fixed rental, but I'm sure this is how it how it is for the small ISPs/colo facilities)
However, if you think about it - the ISP wont be having to pay its provider more if it does "Above 1Mb/s on *this* pipe.. above
What if the ISP doesnt hit the utilisation required for it to be charged extra, but individual systems within its network get hit hard by a particular virus? (Slammer for example didn't pick IPs properly at random, so some IPs would be hit, others wouldn't)
In this situation, I think the ISP should let them off the fee. The ISP hasn't been charged any extra for the slammer traffic, so it should let the customer off the charge. It'll do wonders for loyalty if you can see your provider is fair and reasonable about things.
The other situation to consider is when an ISP does get billed by its backbone provider heavily for extreme and unsual utilisation.
Alright, hold that thought. Right at the top levels of backbone providers, there is no direct cost associated with using 80% or 10% of a backbone line. It simply is. It's at this stage I think, that they should possibly relieve their clients of bills that are easily attributed to big viruses that are doing the rounds. Granted, then what do you do about spam? Where do you draw the line as to what is 'unsolicted/extreme/garbage' traffic?
Another solution I've just thought of is to extend the period that an average is worked out over, so that over the year if you're under 1Mb/s, you don't get charged extra. It should even out massive, but short lived spikes from worms such as Slammer.
Yes, I know contracts are normally clear about traffic levels and bills that you will receive if you break them, but I do think it's unfair for a small site that has just gone colo to suddenly get a bill 10x its normal bill since the latest worm has been targetting its machine, primarily since there is no direct cost to the ISP, or the ISPs provider, that can be attributed to this extra traffic (as long as there is spare capacity!).
Geocities and other free web hosting services allow a certain amount of bandwidth per hour. I know web servers can do this, limit the amount of bandwidth used at one time or the amount of bandwidth allowed to be used in one month or something. Why don't u ask your customers if they'd like to pay for a certain amount of bandwidth and after that are cut off? This way there would be no complaints about too much bandwidth usage as that they won't go over their limit ever. They might not like it, but then again, you'll have to tell them they gotta pay for the amount of bandwidth they use, regardless if they had planned for it or not. They just gotta understand how the internet works.
Now imagine me mocking you like Cartman does: "I had a spare box at my colo that I had completely forgotten about..."
.
That's your bad
Get down to the nitty. You weren't mad at the ISP. You were mad at yourself for being a network dumbass. Fuck spike billing, yeah maybe. Take responsibility for your own (non)actions? More like it.
People should be accountable. If their PC is infected with a worm or virus which results in a large bandwidth bill, the customer is responsible to pay it. Afterall, the ISP has a bandwidth bill to pay too, and they certainly don't get a "service credit" just because your Windoze box has W32@Klez.
In addition, Making the people responsible for their personal worm/virus traffic would make folks would be more proactive about virus prevention and more cautious of which sites they visit. This IMHO is a Good Thing.
Another potential positive would be that people might start wondering "Why does my friend/relative who runs Linux never complain about viruses?" and "Gee with all these viruses that only affect microsoft products, maybe I should look elsewhere for my software needs."
At least in my state, you are responsible for your car's emissions. If your car is polluting above the state limit, regardless of the reason, it is your responsibility to fix it. They don't care what the reason is for your excessive emissions, whether it was rust, hungry chipmunks, incompetant redneck mechanics, or just a poorly built ford suv. And they have a system of mandatory repairs and/or fines in place to enforce this. This is a Good Thing.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
For ICMP, charge them for inbound echo requests only if they generate matching outbound echo responses. Charge them for inbound echo responses only if they generate matching outbound echo requests. This gives the customer the ability to control bandwidth usage through filtering if they wish.
For inbound UDP, it's much harder. I don't see any really good way to do this, but perhaps someone else can.
Of course the tools to do this sort of billing might not exist yet, and there are a bunch of details that make this harder than I imply, but this would be the basis of a policy that's fair to the customer.
- Fzz
Just wondering this. If the person sending the packet pays a bill for that packet and the person recieving that packet also pays a bill, they are both paying on that same packet. Why not just shift the price so that only sending packets are paid for?
I know its a stupid question, but why not? Other then the fact that somewhere someone is saying "Shit, people finally woke up and realized they are paying twice for the same thing, there goes half our revenue." Why ARE we paying twice? Either pay for outgoing, or pay for incomming. If somewhere someone already paid to send that packet to the net, then the reciver should not have to pay for recieving that packet, or vice-versa.
The only real problem I can see with this is that you have clients and you have servers. With clients sending few packets to recive back several thousands (or millions). A new pricing model should really be setup for the whole system, but that will never happen unless everyone stops making money off the current system.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Attacks like CodeRed, NIMDA, Slammer are the problem, and these days it's the cost of doing business on the net.
Unless your agreement, contract, or whatever is in place with your customers have a provision for such bandwith useage that is generated because of worms and the like, it's the ISP should not be responsible. Afterall, the ISP's job is connect the their customer to the internet, not regulate what happens on the internet.
The big problem I see here is that people need to know their maximum exposure. Essentially, the exposure of an account is unlimited.
As for the cost, the ISP doesn't just pass on the cost, they pass on the cost plus a tidy 70% profit margin.
Remember, these ISPs have dot com brains. When an ISP sees that they can make beaucoup bucks by DOS attacking clients...well, expect some outrageously large bills.
What many posts in this thread do not seem to take into account is the greater reality that is the web. With a completely patched server and firewalling that drops packets not desired to hit said server, incoming bandwidth is changed none-whatsoever. You have zero control over traffic until that traffic hits a device under your direct control. With most ISP's, that device can only be placed well past their traffic monitoring point. Ergo, you pay for bandwidth whether you want it or not.
You do have the ability to reduce the total amount of bandwith consumed by dropping unwanted return connections but that may be irrelevant if your site is subjected to a DDoS attack.
The largest problem lies in determining whether traffic is "legitimate" traffic BEFORE it passes through the ISP's network to the client. That said, there are a great many possible ways to accomplish this, such as:
The above are merely ideas or concepts, I will leave implementation to those that require the features. But it gives a good idea of the directions that an ISP can go to mitigate the costs of unwanted bandwidth. Just like Credit Card companies will call a customer to verify that they really do want to purchase that Tiffany diamond in a State they've never visited before, maybe ISP's should be monitoring traffic for irregular patterns and contacting customers to verify that the traffic is legitimate.
ISP's can't merely turn a blind eye when the entire netblock they serve starts sending or receiving traffic generated by the latest worm, virus, etc. They should do their best to mitigate their losses and losses of their customers.
I'm not saying that customers are without blame, just that the people running ISP's may have more technical knowledge that that of their customers and should be proactive in protecting those customers from further harm. If you want a real-world, non-technical example, think Firestone and Ford. A problem created outside of Ford that could have been eliminated before reaching the customer if only greater due dilligence had been used. By ignoring or overlooking the problem (I don't know the exact details) both Ford and its customers were negatively impacted. Was it Ford's fault that the tires were faulty? No. Could they have done something about the tires earlier? Possibly. Could the customer do something about the tires? Yes, but only after they knew of the problem by experiencing the negative consequences.
The scenario doesn't differ much when applied to unwanted bandwidth. If ISP's fail to do their part, unwitting customers will always suffer.
Comment removed based on user account deletion
Why not make the internet like phone service. You don't pay extra for accepting a long distance call (unless collect), you do pay for making them. The big problem is in consideration of large-volume MP3/movie downloaders, but the ISP should be able to differentiate between traffic on the kazaa et all ports and whatever flavor-of-the-day virus is currently out banging on random servers.
My favorite post is still the one stating that their ISP ignores the peak 10% bandwidth times... which should get around short burts of heavy traffic due to virii, slashdotting, etc.
amuse yourself - phorm
So those users got about 56k, right?
Banaaaana!
People make this way too complex...
Customer says "I want 1 Mbs Burstable to 5Mbs"
ISP says "If you use it, your gonna pay X dollars"
Customer says "Okay" (and signs a contract)
ISP says "Here's the documentation, pay your bill"
Customer says "I'm not paying that, a virus did that"
ISP says "Please look at your contract where YOU are responsible for bandwidth YOUR servers/network uses... Pay your bill"
Customer says "I'm not gonna"
ISP says "If your dumb enough not to protect your stuff, and you don't pay your bill, your outta here"
Customer says "Fine, I'm going elsewhere"
Customer says "New ISP, I want 1Mbs Burstable to 5Mbs"
NewISP says "If you use it, your gonna pay X dollars"
And the cycle starts all over again......
1) set up an ISP
2) charge extra for exceeding bandwidth cap
3) allow infected hosts to ddos customers
4) profit!
I don't understand why people charge for bandwidth. It's not like electricity where there is a limited resource that is consumed in order to create the current which goes down the wire.
Lets say I get a T1 to my house. If its full or empty it still costs the guy providing it to me the same amount of money. It should be a solid monthly fee, or an appropriate one time only fee. Its like the phone bill, it doesn't cost the phone company more money when you make 1000 local calls or 2 local calls, so you have a flat rate for unlimited local calling. Same with bandwith.
Since the top provider doesn't need to charge for bandwith, nobody down the line should have to either. If I pay a flat monthly fee, everyone I host can also pay a flat monthly fee. And so on and so forth. Lets say someone happens to use excessive bandwith and it causes a service disruption (they get slashdotted). If this doesn't cause a service disruption for anyone else, who cares? If it does cause a disruption, the person who was slashdotted is responsible to pay for that loss of service. And the people who lost service end up paying less, because they didn't get what they paid for. In the end though, whether I use 100GB in a month or 2GB in a month, if it doesn't make anyone else's connection slower it doesn't cost the guy providing it to me more money.
If it does, I'd sure like someone to explain how. Sounds to me like someone at the top has an evil pricing scheme and is just trying to make extra dough.
The GeekNights podcast is going strong. Listen!
Here in New Zealand, the Sale Of Goods act prevents any company invoicing for products not specifically ordered. Given that Internet connection pricing is generally broken into two parts, a Connection part and a Data Traffic part, it seems obvious to me that in the "data" part of the bill, you are being invoiced for packets you not only did not request, but your PC did not even send an ACK packet for! Your router may be configured to dump all packets not requested, or sent to any but specific ports. They never reach your PC, and yet your ISP will still charge for those packets. The "packet" is the basic unit of exchange on the Internet, and its the combined packets which accumulate for your bill. I think in a court of law it can successfully be argued that unrequested data traffic (Hacker attacks etc) can not be legally billed to the client. This would amount to Pro Forma Invoicing, and a lot of precedent says you just can't do that! This places ISPs in a sticky situation - how can you accurately measure the (requested) data traffic for a client? Do you have to examine every packet and match an equivalent ACK packet before that packet is added to your traffic? That seems like an incredibly expensive option! How about a client-side program which runs constantly, which disabled your internet access if shut down? This might work, but is open to H@x0r1|\|6 on the client-end.
How many escape pods are there? "NONE,SIR!" You counted them? "TWICE, SIR!"
and no more what if the internet was a peanut butter and jelly sandwich comments, eeegads.
Real world solutions,,, If we get hit with crackers, or slammed due to someone else's server looking for a host to infect. We simply log traffic, and report upstream that we have this much traffic busting through , it was unwanted traffic, we asked for upstream countermeasures at X time. Then the account heads get together and haggle out what will be paid by the end user. Usually cut and dry.
You don't have to be a user of MS products to be a victim of their negligence and faulty product design. Picture if you will, a scenario whereby I'm driving down the road in my brand "A" vehicle. You and several other motorists are driving in your brand "B" vehicles in near proximity to me when all of a sudden the fuel tanks in several of the brand "B" vehicles explode due to negligent and faulty design, and causes harm to me and my vehicle. Do I get to sue the holy crap out of automaker "B" and likely win a huge civil damages award? You betcha. MS is like that brand "B" in that they've propagated a huge number of negligently unsafe software products all over the world and when those products cause harm to innocent third parties, then you have a very sound case to seek civil damages.
In normal tort and contract law, there is a notion of 'reasonable' behavior and well understood 'duty.' Not so here. Thus, attempts at analogy do poorly.
In the 'real' world, it's clear who is supposed to do what. And if everyone is a good citizen, then everyone is pretty safe.
Example: If I sell you a sandwich, I have a duty to not poison it. I even have a duty to take reasonable steps to ensure that other people don't put poison into it. For example, if I saw someone lick it and put it back on the counter, it's reasonable to expect me to throw it away, and not resell it (and for me to get the perpetrator to pay me for it).
But that duty has reasonable limits. It is not reasonable to expect me to erect Fort Knox level security around my store, just to keep people from breaking in at night and adulterating the sandwiches.
These simple concepts apply to millions of practical applications, from product liability involving millions of consumers to simple traffic accidents. A few simple rules can actually implement a lot of what is required by 'common sense' or 'justice' or 'fairness' (thus, tort law is pretty efficient code).
But these concepts -- and our hence our analogies -- don't apply well to the internet, for two reasons. First, there is a notable lack of consensus as to what the duties of each party should be. Second, we have not identified what duties will actually protect us. As Graham and Staniford, Paxson, Weaver have pointed out, the pallative 'we all have a duty to keep everything patched' does not really help with fast worms. Even with a lot more patching going on, we remain very vulnerable to fast worms.
So, even if we are all good citizens, bad things can still happen (like expensive bandwidth being consumed by a fast worm). Thus, normal tort analogies will fall short. There are some extraordinary tort analogies that might work, like who pays for what after a tornado or other Act of God. (Your cow flew through my window, who pays?) But even those will rely on consensus views of what constitutes 'reasonable precautions' - views that have been forged over generations and generations. So that will take time.
In the meantime, we should consider new public services to protect society in ways that mere 'good citizens' cannot - like we do with epidemics, fires, and other Acts of God. Staniford, Paxson, Weaver have proposed a CDC of cyberspace. Seems like a very good idea.
If a site hosted within our systems suddenly spikes because of slashdot or whatever, I will administratively throttle it down a bit to prevent it from consuming all available bandwidth. If it's caused by a vulnerability in our systems (all BSD-based), we will eat it, as we should.
If a co-lo'd customer, or someone paying for bandwdth, starts to spike we will examine the cause. ALL of my customers are required to go through a firewall managed by us. They do not have access to it. If a new virus comes out, it goes in the blacklist rule and those inbound connections are not allowed. We will also block certain outbound (all netbios ports by default, plus virus ports, and those which things like rootkits would use) connections unless explicitly requested by the customer - in that case, they are made to understand that they are using a port which is known to be related to security risks, and it's on them if they get hacked/infected and spike their usage.
We don't shut people off. And if it's a small overage I'll usually let it slide. However part of their contract includes an agreement by them to keep their systems virus free and patched to current security levels. If they triple their usage because they were lazy, they will pay. As a security engineer I simply cannot accept the "we didn't know" excuse - there are multitudes of notification email lists you can get on to find out if your systems are vulnerable. This also forces people to take a more proactive stance on security, and prevent these things from happening in the first place.
Your ISP will already send you packets without knowing if you want them or not, there's no form of validation of that.
With a CC purchase, it's supposed to be validated that you authorized the purchase. If the validation system fails, it's the CC company's problem.
Basicly, when you sign up for connection to Internet you agree to be the recipient of packets, and pay for those.
The best analogy I manage to come up with is that you're running a toll-free number, and someone is DDoS'ing your phone lines. Will the telco bill you for the phone time anyway, even if you didn't want all that traffic? Undoubtably.
Kjella
Live today, because you never know what tomorrow brings
when it comed down to it, its the ISP's responsibility to provide service, and when the customer can't get it because of (virus) traffic spiked and then get billed for it i would defenitely be a pissed off customer. also, it should be the ISP's responsibility to protect their own networks against such unnecessary traffic...
Apache does that; I assume other decent web servers do, too.
That is, of course, exactly the problem - I remember a month or two ago,
I've got a site on a 128k link - it would stand no chance if /. linked to it! And if you think that "properly configuring" means "buying a fatter pipe", then why should I pay for one, just for /.'s benefit? It does me well enough for around 1000 visitors/day. /. wanted to link to my site, I'd be quite happy for them to mirror it for the day, with prior, explicit approval from myself.
If
If I was /.'ed, I would be unable to serve pages to innocent visitors coming in from Google or wherever, who quite possibly don't know or care about /. They just think "site's down" and go away. That gives them a bad impression of my site, which (if I was selling stuff) I could easily prove caused me financial loss. I'd just have to show that for every X visitors I get $Y in revenue, and that on the day I was /.'ed I only got $Z in revenue. I've lost $Y-$Z in that day, plus the customers who would have returned if they'd been able to get to the site when they first found it.
Author, Shell Scripting : Expert Re
Charging on outgoing packets is an idea with some interesting side effects. If you start charging per byte, then all of a sudden theres an increased incentive by the ISP to encourage use rather than discourage. Of course there's also a new incentive to keep it legal, as the ISPs then profit off of piracy networks. So what kind of data would both be legal (at least at the federal level) and bandwidth consuming?
Perhaps a glance at another real world communication network where the burden lies on the sender: the US Postal Office. Good ol' USPS makes a good deal of revenue off their "bulk rate" which is basically junk mail. In fact, without junk mail the post office probably couldn't turn a profit.
If a sender burden internet was the norm, its often argued that spam mail would trickle to a halt as the burden would easily tip the scale of profitibility. I argue that rates would not be set so prohibitively, although I do not have the time to research the cost benefit weights.
I Browse at +4 Flamebait
Open Source Sysadmin
I was watching a story on TechTV (guilty pleasure) about a guy that came up with a novel implementation of an AI that played Tetris.
This guy had a webpage that showed how he did it, which got slashdotted when everyone tried to vist. As if that wasn't bad enough, the next month he got a $7000 bill from Earthlink because he exceeded his bandwidth limit.
Who would be responsible for that? It's not like he submitted the story to Slashdot...
There are 01 types of people in this world. Those that understand binary, and me.
This is like having your credit card stolen. If you notice, and notify the company promptly so they can start blocking charges then you are only out $50 (and sometimes they even waive that). However if you don't notice until your bill comes at the end of the month that it's been gone for a whole month, then you're out the whole amount.
Same thing for bandwidth. If the customer notices a problem and notifies the ISP so they can take steps to block / track the attack then they shouldn't have to pay. However, if they are too lazy to monitor their own gear, and/or call the ISP they deserve every dollar they get charged. The customer needs to be a partner with the ISP in fighting these sorts of things, otherwise the ISP never has a chance to catch the real criminals.
Of course, all this is for medium size and up ISP customers. Smaller businesses and/or individuals may just want a "turn it off if it goes above x" until I call model, which is completely reasonable.
It keeps the system simple. If someone gets hit by a ddos, the victim pays. No tracking people down, no trying to get money from a 13 year old PFY who got mad because the girl who sits next to him in class didn't laugh at his joke today.
Unfortunately, as long as its like this, there will be no improvement. DDoS's would die overnight if all spoofed traffic went straight to the bitbucket. Tracking down the few people silly enough to try would be a cinch, simply follow the ip trail backwards.
How to stop spoofed packets? Simple. At the border of the internet, simply start filtering. If your cable modem starts spewing packets with a source IP in china, something is wrong and the first router you hit should say "Damn, I had no idea China was in the middle of Arkansas." then immediately drop the packet and notify someone there is a problem.
But, the money and the laziness is in the system as it stands now. There is no money in fixing it, and unless everyone all over the world fixes it, it won't be completely effective.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Should ISP's ultimately eat the costs of malicious behavior?
NO.. the same reason that they should care what passes THROUGH the network
Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not?
YES.. see reason 1.
Is this a new frontier for insurance companies?
YES
Ok. When I pay for 768 kbs up/down, I want to be able to utilize that bandwidth ALL THE TIME. I don't want to be capped at 30GB worth of file transfers a month, when I could, theoretically, push 312.5 GB of file transfers (one way!). I want what I pay for, NOT what the ISP feels like giving me AFTER I've already given them my money for an allotted amount of bandwidth per second. When I first signed up for cable, there WASN'T anything in the contract stating that there was a monthly limit on file transfers. I didn't know until I got a call from my ISP saying that they "could" charge me $2,000 dollars for my bandwidth "ABUSE" *cough use*. I then went back and re-read the contract.. it appears as if it was added in AFTER I signed up.
Listen to my experimental-industrial-techno!
Unless your "burstable billing" agreements spell out that you cannot bill for abusive inbound connections (i.e.: from virus infected hosts), you can probably legally make your customers pay (at least until they leave). I think a better approach would be to forward the costs back to the networks that relayed the connections for further relaying until the charges reach the infected pcs or at least their connection providers. Your isp could also offer bandwidth caps on the burstable agreements so people can take advantage of the concept without exposing themselves to bankruptcy. I would also think that an isp could easily block identified sources of infectioned connection attempts to all of its customers, and that such defensive action is a reasonable customer expectation.
if you host a website, you have a public service. It's not your customers fault if they use your website too much. You don't charge them for it, unless its a pr0n site, then you charge them a certain amount per month to have access to parts of the website that other people don't have access who aren't paying for it. The thing with the world wide web is that you AND your customers that are accessing the website are both paying for the bandwidth it uses. Basically your customer pays for the bandwidth going to their isp and out to the world wide web, and then you pay for the bandwidth your site requires and uses. Kind of like half and half, though not exactly. The ISP hosting the website has to pay for the bandwidth usage somehow, and they do that by having the customers pay for it plus a little extra for profit and such. It is complete BS for you to think that they don't have to pay some of the bandwidth usage that the customers use to get onto your site. Your site is basically a public service, therefore you foot the bill for it. Don't like to have to pay for all that bandwidth. Then tell your host provider to cut off access to the site each month you get to your limit. This way, you don't pay for excessive bandwidth on your site. Now as for e-mail being cut off, I believe that you get unlimited bandwidth with that for recieving and sending e-mail with most host providers. So the moral over all, your website is a public service and you pay for those who use it. If you can't afford that, then either cut back on the amount of bandwidth used, or if your site is that popular, try to figure out a way to use that to your advantage, such as to increase sales.
Lets say I got rooted because I'm running an open Telnet port on my connection and someone uses it to turn my computer into a spam factory spewing gigs of spam each day. Or lets make it more realistic. The slammer worm. It is not the ISP's fault that the user is an idiot. Remember the slammer fix was posted a long time before the slammer came out. You need a clause in your TOS.
As a SA of several large ISPs my experience has changed my mind about colo or dedicated servers.
A) You can't stop it inbound packets, the packets travel across the ISPs link, you get charged for it period, and they barrage you machine with the full force of the network link (10 or 100 Mbs)
B) The attacks are coordinated, I have seen many many servers pound a single server into the ground, the result is the customer usually ends up cancelling and being down for 48 or more hours.
C) ISPs have a shitty business model, billing should ONLY occur for outbound bandwidth, inbound bandwidth on a server is usually minimal and should be built into the cost of the server
So, if you have this problem, and many people with dedicated servers WILL have it, get a T1, if you use that up, get another T1 and set up BGP, keep adding T1s until you are in the ballpark for one of the links to be a frac T3.
The deal you see from a dedicated host or colo facility really isn't a deal when you see the other side of the coin and pay coin for the convience.
Don't use a host that charges ridiculous prices for bandwidth usage. This is a huge cash cow for hosting companies. It didn't used to be like this, until they figured out they could charge money for it. If you do use a host that charges these ridiculous prices, make sure they can turn your site off after it's reached a certain bandwidth limit, so you don't end up getting charged $10,000 for being Slashdotted.
Another solution, host yourself on your own servers. You can transfer an unlimited number of bytes. You are only limited by your bandwidth.
Since most (if not all) viruses are Windoze specific, why don't you institute a large Windoze surcharge (and double it if the user happens to be running IIS)?
This would mean that the people generating the traffic would be paying for it, not the people receiving it.
All data is speech. All speech is Free.
Now imagine it with packets and the internet
8-PP
i work for a university somewhere outside of the us. we have a ds3 connection that is usage based. currently, we just limit the number of terminals that can be connected including the applications that the students are able to use (they won't be able to install and run 3rd party apps) so they can only browse and stream media files. this is working well with us. however, this restrictiveness reduces the applications that can be run. these terminals are connected to a high speed connection. then again we have a low speed link where all "other" computers get their connection (e1), when we monitor the traffic, majority are not acadmic related (sad to say.) but heck i don't care about them if they find it slow, that the amount you pay and that's what you get, unless you pay a big chunk of your tuition for internet use (in our country bandwidth costs us around 3x-4x that of bandwidth in the us so it is expensive.)
:)
i suggest though that since students have already paid a certain amount in their tuition, they would get a free pipe. let's say that the total amount of payment can buy you 10mb/s of bandwidth/month, then all users can use that much bandwidth. if it slows down, it is their problem since that is the payment they made in the tuition. you can set up a billing system for them to use the remaining bandwidth (let say 35mb/s for a ds3) but they are billed for each byte they sent.
academic departments that need to have bandwidth dedicated to them should get either the approval of the university for them to get it for "free" or the department will be using their own funding for their bandwidth use.
it solves on all sides. you pay a flat fee, you get a flat unlimited bandwidth use. as per qos, there are no guarantees. you can have "premium" services where you can provide more bandwidth and better qos.
as the saying goes, there is no such thing as free lunch.
Live your life each day as if it was your last.
I was quite amused to read this story and the follow-ups.
/something/cmd.exe" or "GET /something/dir.exe". I'm amused, 'cause my Linux box ain't going to get hacked that way.
Two days ago I put my personal web-site up. It's sitting on a linux box (Apache) behind my firewall, which only lets incoming connections initiated on port 80 through.
In two days I have had maybe 100 hack attempts. All using variations on "GET
But, WTF... they're using up MY bandwidth. Why can't ISPs take some responsibility for detecting script kiddies. There can be exactly no un-patched useless WinNT boxen out there. Why shouldn't Mr ScriptKiddy be asked to pay for the bandwidth?
In telephones (in the UK, at least), calling party pays. If someone is hammering my bandwidth malicously (or at least dumbly) why should they pay?
And why can't get an ISP that "traps" stupid requests, and reports them to the users ISP. Too many issues and that ISP is blocked.
Why not?
(I'm thinking about setting up a DDOS system on anybody that tries to 'hack' my server. Just for a laugh, obviously.)
--- My dad's political betting
It's a tough problem. You don't want your ISP playing God. Yet, you don't want to pay for unexpected bandwidth.
That's like saying you only want good bandwidth and none of the bad bandwidth. :)
Let's use a Mall analogy:
You build a shopping mall. There are roads leading into your mall. The city maintains the roads, but the parking lot and accessways into the malls and shops are maintained by you, the site owner.
If you get alot of paying customers coming and they jam up your parking lots and driveways and walkways with cars and people who are willing to pay, you don't say anything because you're getting money.
However, let's say you get alot of non-paying traffic. A large group of people decide to find a place to gather and organize and decide on your mall. They take up your parking spaces and take up the chairs in your food court or block walkways while they chat. No money being earned.
It's still traffic, but it is traffic you don't want. You still have to pay the electric bills and road maintenance. But you don't get compensated.
Who should foot the bill for your losses?
Seriously, the customer should monitor their systems and when they detect anomalies, should be able to work with their ISP to have the traffic in question blocked off. In the event of a DDOS/DOS, then they should seriously consider taking their system off the pipe.
ISPs should see this as a profit potential. I mean, offer your customers content based filtering. Let them setup their own filters and provide assistance service contracts.
In the end, the ISPs will make extra money, customers will feel more supported, and the network bandwidth will be better utilized.
As for the Mall, if there are people taking up space to the point of disturbing your business, it may be time to call in the police.
Customers and Providers really need to work together instead of pointing the finger.
Winged Power Photography
An odd coincidence: this paper was posted to the NANOG (North American Network Operators' Group) mailing list just today. The first paragraph reads: Not an answer, but certainly relevant.
(imagine the drawing of poor quality stick figures on the board)
Joe lives with his wife Susan on the North side of the river in Anytown, USA. One day Joe is getting ready for work and his wife, Susan, is feeling very lonely, and begs him to stay with her for the day. She begs and begs, but Joe leaves for work nonetheless. Feeling lonely, and in dire need of intimacy, Susan leaves her house and crosses the nearby bridge to the other side of the river. She knows it's not the best part of town as there are frequently shady characters hanging about. On the other side of the bridge Susan goes to Tom's house, where she seduces him and spends the entire day in his arms making passionate love.
Night comes and Susan realizes she better get home ASAP. Scared to cross the bridge alone in the dark she asks Tom to walk her home. Tom declines, saying he's got too much work to catch up on, having been distracted all day by Susan. So, she walks home alone. While crossing the bridge she's mugged and killed.
The the teacher asked the class "who's FAULT is it that Susan is dead?"
Of course everyone would argue all types of things about the bastard husband, or the jerk of a lover. After that went on for a while the teacher asked another questions, "What about the mugger, who KILLED her...?"
isn't it the person attacking you's liability for the harm they caused? I can't catch them, but my upstream likely could.. if only they had some sort of ... incentive... say it cost them $$$...
So, stick them with the bill, and maybe they'll get off their hind quarters and start catching people for attacking others...
My Linux Command of the Day site : LCOD
ISP A has customer X. ISP B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y and Z has customers B1,C1,C2,D1,E1,E2,E3,F1,G1... etc. that are infected with a virus. Each of them contribute very little to the total impact, and are usually completely innocent residental users with no malicious intentions. Most likely, they have not updated the box connected to their DSL modem, or have been fooled by some email trick or otherwise to accept a virus. Try charging these ISPs (which have seen no spike) or their users (which also haven't noticed), usually from all across the world and I promise you that they will stonewall and that what you manage to get won't even cover the cost of sending out invoices.
Who is the real culpit? The botmaster, which is in general nowhere to be found, even when the FBI gets serious about it. He'll be busy finding new victims to infect with the virus, and there seems to be an infinite supply of stupid people around.
Kjella
Live today, because you never know what tomorrow brings
which is positively related to the monopoly power of a given company. If you are say, MS and you have a near perfect monopoly, price will be very inelastic (you can raise p with a smaller loss of q). In that case, I would say close to 100% of any cost will go to the consumer (government fines MS for abusing consumer, consumer is passed the cost through MS).
:)
However, in more competive environments (McD's), perhaps very little will get passed on to the consumer since the price is more elastic, as consumers start buying burgers at Wendy's when McD's price increases just a little.
Of course, I was going to use this as a reason to advocate Open Source software . . . but I have given up on trying to convert strangers. Thus I have more energy to convert friends and family!
Sdelat' Ameriku velikoy Snova!
..need to learn that patching boxes isn't something that can be done when they feel like it.
I work for a northern-based ISP in the UK, and being on call on the weekend Slammer did the rounds, I was up at about 6am trying to find out what the fuck had happened. I still have graphs somewhere of the spikes on our border routers.
I find it amusing that customers think they shouldn't be billed for the extra bandwidth in situations like these. If it wasn't for those certain customers in the first place, the problem wouldn't have existed anyway.
They'll never learn, and in a few months it'll probably all kick off all over again.
I know that one way it worked at my college, was the ISP would monitor the usage for a random 30 day period. They would then base the following years billing on the usage of those 30 days. Apparently they had some sort of usage --> dollar ratio or matrix. Since it was "random", we weren't able to try to limit usage during the monitoring. At the very minimum it helped with budgeting since we knew what the monthly bill would be.
If they really need a burstable connection, have a system set up so that they can request an immediate temporary bandwidth increase. This could be priced according to how much spare bandwidth is available (in which case the customer would need a way to find the price out before ordering the extra bandwidth), or have a fixed price. This would preferrably be automated for speed.
Tim
- I should not be responsible for TCP traffic that is not ACK'd from my system (one-way traffic inbound, like a virus hitting my system, but my system doesn't respond because they are patched/unaffected). At that point, I believe the originating ISP is responsible for the costs incurred by my ISP, as they should detect and filter this from the source (force responsibility on the part of the ISPs, who will then try harder to police their users who don't accept the responsibilities of having systems on the net).
- *if* the ISP wants to bill me for traffic that isn't ACK'd, they had better have a helluva response time on filtering the latest/greatest worm from my pipe
- I should be responsible if I'm dumb enough to hang out SQL server and get Slammer, etc.. (ACK'd undesired traffic - I am responsible for my own systems!)
- I am responsible for having more bandwidth used than I planned on for my exposed service (Slashdot isn't responsible for Slashdotting my site - I put it up there). One has to assume I am paying for burst because I want to handle unplanned traffic! Otherwise I wouldn't be on a burst pipe and I would probably be paying a flat fee anyhow.
- The ISP should provide me an option to drop a certain percentage or deny all traffic above a threshold of sudden and sustained level unless I am alerted (email, phone call, pager, whatever) and can approve it - same principle as a bank...I can move any amount of money around I want, but a very large one-time transaction can have an authorization requirement (protection from the Slashdot effect)
So, I guess I really feel that the ISP and the user must share responsibility, depending on who "let" that traffic into the pipe.Half the problem here is that we bill for bandwidth in the wrong way. By billing on traffic, we open ourselves to exactly this sort of problem - it would be like billing for water consumption based on pressure (rather than volume).
In the case of network access, it makes far more sense to bill based on access - the size of the pipe, and if necessary the level it can burst to.
The reason ISPs bill per megabyte is so they can bill multiple customers for the same piece of infrastructure... and at the same time, over-subscribe that piece of infrastructure.
Comparing water and bytes is a rather foolish analogy that the ISP business has invested hugely into. Water is a tangible object, whereas bytes cost nothing to create. In most cases, the cost is in providing the infrastructure - once the gear is in place, it doesn't actually cost anything to send a byte of data down it!
Some would argue that we pay by the byte in order to fairly charge for usage - if this were so, then the providers would simply need to offer a range of access levels. Unfortunately for us, it's not in their best interests to do this.
Charging by access speed means that we suddenly introduce a higher quality of service (you can't sell what you don't have, unlike with the current cost-model). This also promotes higher usage, which in turn promotes growth - without growth, most ISP's will never pay off their initial investment.
Strangely enough, paying a fixed fee based on the size of your connection is where the whole thing started. Paying per byte is a relatively recent (several years, but still recent) concept, thought up by greedy providers who realised they can charge many customers for something that is essentially free.
Take a look at the profit levels of some of the bigger providers in your country. Here in Australia, Telstra, Optus and Connect all report multi-million (and in many cases billion) dollar profits. Nobody can tell me that the core connectivity of the Internet isn't currently a profitable business.
Finally, there's the subject of double-billing. Upstream and downstream traffic being billed. I could write for hours on this particular injustice, but let's just consider this for a moment - you get hammered by a worm or hacker, and who gets the bill? The same data passes through the hackers network, generating charges for them. It then turns up at your front door, costing you a fortune too. Both people pay (usually, the hacker gets some poor schmuck to cover the costs though). Worse still, when the connections originate from the same providers networks, they still get charged twice. But I won't rant about this bit just now...
They are advertising themselves as being these speeds "on-line, all-the time" if they didnt mean that in its fullest... they shouldnt advertise it.... Thats misleading.
--vision
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
If anything the ISP should be held accountable because they are the professional network managers. Not joe six pack who had his computer owned.
www.samuraidreams.com - My Blog
www.samuraifiles.com - Get Some Videos Here
For incoming bandwidth you are not the one doing the "driving".
maybe the problem is not in the bandwidth used , but in the charging for bandwidth.
you instead have an idiot fee. Anyone who has their system owned using a well known and correctable flaw has a higher rate regardless of their choice of OS.
Which is exactly why I haven't signed up, even for my small site. It would be ridiculuosly easy for Wazoo web to inflate my costs artificially. I don't necessarily have any reason to distrust them, save that I don't know them and they are out to make money. I should note, that I don't think they're doing anything different tha anywhere else, nor have I seen any accusations about their business practices. It's just my own paranoia about getting ripped off speaking.
I'm the big fish in the big pond bitch.
It's more like pulling down your pants, bending over, and yelling "freshmeat" in a texas prison yard and the allotment of condoms have run out for the month.
If it's a new worm, i think the ISP should eat it,but,if it's an old one or the patch has been released for it, then they should pay.If they are stupid enough to hire some substandard administrator because of penny pinching, then they deserve it.
A few notes about charging for bandwidth:
These are some of the steps we use to protect ourselves and our customers. Your milage may vary.
(We use packeteer for rate limiting, but I keep eyeballing OpenBSD/AltQ/PF for both rate limiting and firewalling for our customers).
The customer should NOT be held liable for use they did not incur.
When your credit card number is stolen, are you liable for more than $50? Sometimes not even that much.
There is little difference between this and the invasion of privacy that is an e-mail virus.
Maybe /. can tell us exactly how long it would stay on the air if they had to start paying for both their and my data charges.
And most ISP's would close tomorrow if they couldn't charge for data downloads.
'nuff said.
If you actually paid for the bandwidth you want, You'd be paying a bit mor ethan your 49 bucks a month.
I wrote several negative replies about how it is unfair for the ISP to charge the customer for something the customer has no control over. I'd like to take a moment and give a counter - an example of the one way I can think of to do it that could be fair, without asking the ISP to foot the cost:
The problem, at it's root, is that the customer is helpless to prevent the offending traffic until after it has already been counted by the ISP. If you firewall the offending traffic away, that firewall still exists at a point further down the line than the ISP's bandwith counter - so you reject the incoming packets AFTER they've already been counted against you. That is the crux of my complaint about this system.
But, there is a possible solution: As part of the service, the ISP gives the customer access to some type of automated protocol whereby the customer can inform a program on the ISP as to what the customer would like firewalled, and the ISP implements it for the customer at a point BEFORE the traffic counter counts it. That puts the customer into a position where the customer CAN actually do something about the traffic, and can keep on top of it and respond to it. The customer could even set up a script that watches the usage and when it spikes to absurd levels it automatically informs the ISP to cut it off for a minute or so. Obviously, this solution is only good for more sophisticated customers, like businesses. It wouldn't work so well for the typical home user.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Compare this to someone constantly text-messaging spam to your wireless phone. You could quickly run up an insane bill that way, and there's really nothing you could do about it. The wireless company is contractually in its rights to charge you.
But it won't.
That's how they work. Someone screws with you, typically the provider eats it, especially if there was nothing you could do about it. That puts the incentive back onto the one entity who can actually do something about it: the providers. True for wireless. True for credit cards. True for just about anything where the end user can't do anything to stop the abuse.
The ISPs can do something about it. They have chosen not to because of how we (the geeks) developed the internet. It's too trusting. But at the end of the day, your ISP does know who you are, because they send you a bill. And they could apply uniform terms of service if they chose to, and only talk to other ISPs who have similar terms.
The RBLs are the future. They just don't go far enough. When they're willing to not just cut off SMTP but entire connectivity to other ISPs who aren't willing to play by uniform rules, then we'll start to see some changes. What kinds of rules? Here's some for starters:
- Authenticated mail only. Yep, this looks like banks' "know your customer" rules. You can be anonymous all you like up to the point that you connect to the mailer. But the guy who forwards mail for you is going to be held responsible for your behavior. Yes, that will radically change the free-service providers (yahoo, hotmail, etc). They're free to come up with solutions that don't require them to know exactly who you are, but if they host spammers, we're not going to talk to them. This is just the logical extension of RBLs.
- Same deal for acting as a DDoS zombie. The owner of the unpatched box is responsible, but it's the responsibility of the ISP to be able to identify that person for legal action. If they can't or won't, then we don't talk to them.
None of this says that you can't be anonymous most of the time. It just says that if you're disrupting service and causing real losses due to your actions or lack of actions, your ISP is going to have to hand you over, or they're going to be held responsible. The right to privacy has to be balance with responsibility for your actions.The old-world networks (phones) have worked this way for years. I can block my out-bound caller-id. I can have an unlisted phone number. I can be very anonymous on the phone. But if I'm named in a law suit or criminal complaint, the phone company will hand me over in a heart beat. The only way around this is pay phones with cash. It's hard to run a large-scale scam that way.
And no, this doesn't mean that an ISP's logs are free game to the RIAA. But it does mean that if the RIAA wants to name a specific "unknown party" in a lawsuit, the ISP is obligated to identify them. Before you get excited, that's exactly the current situation. The RIAA just wants to get the info without actually suing you (which is wrong, and luckily some ISPs have resisted). ISPs need to be willing to say they will only interconnect with other ISPs who play by the same rules.
Yes, this will fragment the internet for a short period of time. So do the RBLs. But economics will fix it fast enough, especially if entire connectivity is cut off.
the reason ISPs charge what they do (far more than is necessary) is partially to be able to recoup potential costs/damages. it is part of the calculations that go into determining that they're going to charge you $40-50 a month for a dedicated connection. As a result they shouldn't charge you for a liability they have already accounted for and overcharged for (and they do overcharge) additionally, as long as ISPs bill their service as 'cable modem - x bytes a second, unlimited' rather than 'x bytes a month, capped' this practice is deceitful and will lead to people being charged for services they do not believe they have agreed to (whether or not in some fine print clause it is mentioned). I feel ISPs already have FAR too much power to change contracts on a whim without alerting the consumer, and additionally have already scaled back on a large scale the services provided. Most ISPs no long offer newsgroup retention of over 1 day for messages in binary groups (and as someone who uses many LEGAL usenet groups for art, photography, and underground music this bothers me to no end), some ISPs now filter uploads or limit upload size to newsgroups, some ISPs now allow interest group vigilantes like the **AA access to their servers and your accounts.Most high-speed providers I've encountered often offer far lower speeds than advertised, interspursed with a LOT of downtime. the customer already eats FAR MORE of the bill then they deserve. And for every client who uses their bandwidth excessively there are 10 who don't play games or trade files at all- who just use the internet for work or porn or email or special interests. These ISPs have a captive audience as well, in the majority of the US they've carved up the areas they work in in such a way that they are uncontested and so as the consumer has no choice- use them and their draconian agreements or don't access the internet at any reasonable speed. Fuck them. I say don't give them any more leeway to restrict, to censor, to overcharge.
If you pay lower premiums, the cost of a prescription is going to be higher when the bugs attack.
Using a Windows host, 'iis' like being a smoker. It will catch up with you in the long run.
Tom
Open source- the greatest equalizer mankind has ever seen.
I disagree, this was the biggest problem with the Dot com fad, everyone was so excited about the technology and the money that might be able to be made, that no one was bothering to actually add up the bills.
It is very hard to even make a buck now a days running a ISP, for years allot of smaller ISP's got by, and made themselves (their business) look better than it was. Providing people with unlimited bandwidth for 50$ a month is hard to do when you figure out all the costs.
Allot of times they didn't have the actual bandwidth they said they did, just to bring in a profit etc...
Most these companies where hoping they would get bought out in the dot com craze and did. The bigger telecoms bought up the smaller guys knowing there would be a loss but also where thirsty for what might the biggest thing in their future, and not wanting to be left out of a good thing.
Now a days things have changed a little, allot of the smaller ISPs gone, and you might still be able to get a cheap line, but more and more people and businesses have learned that you get what you pay for and don't mind paying a little bit more to know that the company wont fold tomorrow leaving them stuck with allot of problems that they would have had from a bigger more respected company that has to play the publicity game more often.
I think bandwidth is still pretty expensive right now, the charges on an OC3 connection are not cheap and most ISPs pay by the bandwidth used.
Plus you got the problem mentioned here.
I do not believe this problem is about Web services, that may be a problem for some, but I think that I parked server that uses up allot of bandwidth for their website should just pay up.
For allot of the reasons already mentioned from others.
But the problems really happen when a Virus or a Bug leads to unreasonable bandwidth usage.
Code Red hurt allot, but after the first couple hours we had filters in place that blocked most the negative traffic from the Virus at the core routers.
Also the recent SQL bug was blocked pretty fast so that people didn't accrue a huge bill. So we are learning fast how to help our customers and ourselves not get into these problems, But there have been some times when a person has hacked a server and loaded a FTP with games and porn whatever and caused them to have a bill in the tens of thousands of dollars and the customer didn't have a clue any of that was coming.
I think we will learn to avoid allot of this, even though it may still be the customers responsibility to configure the server, The ISPs are learning that to keep customers and not get into these problems the have to do more monitoring and check the network more for anything unusual like this. A simple script that runs every night that checks for anonymous FTP PUTS can save everyone allot grief.
Allot of ISPs are just starting to turn a buck again getting spending down to something reasonable that is more inline with their income.
And keeping allot of the more talented people that can really help in these situations will be key to better service. These lines will get cheaper as the money initially invested gets
If someone`s machine becomes compromised, either by virus, worm, malicious user, cracker etc... then they should be liable for not only their own bandwidth usage, but also for bandwidth usage caused to third parties by the illegal activity eminating from their box.
If you cant keep your box secure, you pay the consequences. Maybe large financial costs would encourage people and organizations to adopt tougher security policies, and to actually hire competent admins instead of "that drone from sector 7G who says he knows about computers"
Think of it this way, if you dont keep your door locked, then no insurance company will pay out.
Besides, if your machine becomes infected with a worm/virus that tries to propogate itself, you may be causing damages/losses to SOMEONE ELSE... you may increase the bandwidth bill of someone who never did anything wrong, why should they have to suffer?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
That means that if the ISP decides to "eat" the charges, then those users conscientious about their security subsidize the carelessness of those who aren't so careful.
This sounds like what the insurance companies call "moral hazard:" If someone else pays for your carelessness, there is little motivation to be careful.
I just got an idea for a software project to solve this problem. It would be like the Windows program "ZoneAlarm", except that instead of configuring the firewall locally on your own machine, it would remotely administrate a firewall on the ISP for your traffic. The interface would have to be OS-agnostic (or I'd be pissed), so something like a small java application would work. (And the interface program doesn't have to do much but monitor an open socket and ask you whatever questions the server tells it to ask, so the bloatness of Java wouldn't matter much.)
That way the ISP could adopt a policy of charging you for traffic you explicitly allowed, and denying all traffic you didn't, and it would be simple enough to use that you don't need to be a computer expert to use it.
For the business customer with a full-time sysadmin, the same kind of firewall config at the ISP could occur, but the business customer could automate the configuration of said firewall by being given a programattic way of sending it commands in scripts.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Make it a black and white picture for your client. You pay someone for your bandwith probrably so their bursty nature costs you money too. I know the client thinks they are the only one in the world but they arent. Make that apparent in a kind way and explain to them that bursty traffic still is billed. They are in a public area like you said and subject to a flood like that. Like you said perhaps insurence companies could start to make money on this. I see it akin to a typical flood in your house. Water doesnt typically rise to that level but when it does the insurence company pays for the damange assuming you have flood insurence. Maybe you should go into insurence as well...
Makes me wonder,
With the telecomminucation industry in a slump, why now just sponsor development of new types of spyware, P2P interations to up the bandwidth bill
hey just pay a few bad boys on the side for some new DOS's
Maybe its time to buy Telco stocks again ?
bæ8Ã0sÃOE?5r©oÂÃ?âz:ÃÃAÃ?ÃOEÂ6fXÃ?]Â
Depends upon whose equipment was running old code that contained the vulnerabilities. Customer's server = customer's bill. ISP's routers or misconfigured firewall = ISP eats the bill. C1
>It's a pretty tough issue... seems like whoever
>initiated the malicious behavior should foot the
>bill, but in cases where that person can't be
>located then I guess the victims of the attacks
>just have to eat the cost.
True, but this just returns us to the original question. Is the victim the guy with the server or the ISP? I would say that the ISP is the victim since they incur additional costs but they can't charge their customers for them because the customer hasn't received cooresponding additional value.
Lets assuming that we are talking about something like a ping storm, that the configuration of the ISP customer's servers makes little or no difference.
Here is a good though not perfect an analogy. I have a cell phone for which I pay per minute charge. That is fair. The more I talk the more I pay. But an auto dialer somewhere goes haywire and calls me every 5 minutes for a week. During this time my phone is almost useless. I doubt the phone company would be able to charge me more for this less useful phone.
Some have suggested that the solution is to monitor the bandwidth consumption and to ask the ISP to block ping traffic that is running up the bill. They have pointed out that the result is that the ISP customer is not charged even though the ISP continues to incur the bandwidth costs. If I understand this correctly, this is just a way to keep the traffic off of the customer's bill. It is simply an alterative to giving a credit. These ISPs are admitting that this junk traffic isn't an additional level of service which they can charge customers for.
If the isp is only responsible for the leased line and routing and the customer is responsible for the server and content then the customer gets charged for the bandwidth. If the isp is responsible for the server (say they provide the web space for my companies page) then they should eat the cost due to the improper management of the server. I would even go so far as to say that any customer that fails to have their server properly maintained and patched should also have a penalty fee. Ultimately the isp has to deal with the bandwidth usage.
What no link? No URL? I live to slashdot!! Imagine a beowulf cluster of hits to your website!
So far, I think many posters have forgotten one simple fact.
.. Now for the juicy bits. This happens. Every day. The large network NOCs are in constant communication with each other about large DDoS attacks. The little ones slip through the cracks until people complain but generally the large network NOCs will have many other issues to deal with so in a way I don't really blame them.
ISPs don't have infinite bandwidth.
I know, its quite a strange idea. But think of this.
If you're a ISP in a single location, chances are you're buying a few (hundred?) megabits off your upstreams. Unless your upstreams are happy to filter traffic they send to you (and unless its a very large DDoS, most of them will take a while to implement any access control), the ISP will still be charged for traffic sent to a customer even if the customer chooses to reject it.
Similarly, if the ISP provides filtering support for their customers, they still receieve the traffic and bite the usage.
Now, if you're a large ISP and have links to other peering exchanges. Even, say, you peer enough to not really need transit. These inter-state links still cost money. And they're fixed. So if a customer is hit with a DDoS they'll still be carrying it _somewhere_.
Even if this mythical tier-${LOWNUM} ISP with lots of fat peering links has some magical scripts to filter out DDoS traffic to a given customer range, it still will hit their border routers. So their peering cross connects have already been filled. The only way around this is to deal with their peers..
But they don't really have the incentive to spend all their time dealing with smaller networks being attacked. They'd be worried with keeping their network from melting under a few larger ones.
The flipside. If you're an ISP with enough bandwidth (and not high-profile sites like irc servers or pr0n) you might be willing to bite the costs of various attacks as part of a marketing point. Customers may come to you because you have a reputation of being lenient under attacks. Perhaps. But thats a delicate line.
Me, I dig flatrate pipes. Usage based pipes is just asking to be owned by excess traffic. If I buy a megabit then all I really have to worry about is service degradation due to DoS. ISPs, in my experience, will help you with that. But if you're on a usage based pipe which then gets owned by a DDoS you're struggling after the fact to get a rebate. Good luck.
(Although, that said, perhaps you guys should consider asking for usage based pipes that _have_ a bandwidth cap. Figure out what your maximum spend amount is, say 5mbit, and then ask for a usage-based pipe based on that. That way you limit your liability _AND_ getting the cheaper transit. Most of the time.)
Firewalling at your server does not sigifigantly reduce the incomming bandwidth used up - the fact that your server may be ignoring it does not actually count - the ISP is still charging you, and your level of service is still suffering (The bandwidth is still being chewed). The only way that it WON'T effect you is if the ISP filters it before it hits your box.
If you are the adminstrator of your server, then you need to be able to advise your ISP that you are being hit, and arrange filtering at their end: If you cannot do this, then even if your ISP agrees not to change for the excess traffic, you are still going to get reduced performance for the valid connections as they compete with all of the garbage.
Anyway, the ISP in turn should be able to organise with their upline for filtering (If the've got a decent arrangement), untill the whole mess is traced back to the ISP that the DoS is comming from, and they can take action to either kill the little sod's access or if a virus/trojan, block that machine until the owner can be contacted to do a fix.
Another good way of reducing the severity and quantity of DoS attacks is for ALL ISP's to filter out any outgoing packets that have been spoofed: I can not think of a single valid reason that a spoofed packet should be allowed onto the wider internet, short of participating in a DoS attack or system cracking. This is even more important now that the "Worlds Most Secure Microsoft Operating System" now has a fully implemented IP stack on John Q Public's desktop.
Anyway, I'm outahere!
-Trav
I should really get around to creating a sig.... Nah - too lazy =)
"Is this a new frontier for insurance companies?"
There is already this sort of insurance. I work at a hosting company, and we've recently been getting offers from a few companies.
This is SO educational! -- Kintaro Oe
Even though the example site used was our much frequented Slash, this does not just apply to here: There IS no reason that CNN or whoever should not take the appropriate slap around the chops with a frozen cod when people referred from their site cause another site to sucumb to the weight of numbers. L8r! -Trav
I should really get around to creating a sig.... Nah - too lazy =)
THE SLASHDOT RELEIF FUND! I'll volunteer to be the corrupt fund manager! -Trav
I should really get around to creating a sig.... Nah - too lazy =)
You should allow your customers to set an incoming quota. Anything higher (per minute? per hour?) Is bounced. (Not held.)
If the users don't set a quota, then they are liable. If they do, then you are the insurance carrier. (I guess that it has to be an extra cost service.)
It is important to customers that they be able to predict the size of their connection bill. If they can't, this can cause a lot of trouble. But you could offer an insurance policy that basically says "You won't have to pay more than X amt. I'll bounce the excess if a spike happens." You might want to think carefully, though, about what your cost exposure would be, before you decide on the cost of the policy. (Even having an expensive policy, though, should be a reasonable answer to the current customer complaints.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Yes: ASK before posting the article =)
Really - it's only polite.
-Trav
I should really get around to creating a sig.... Nah - too lazy =)
Yes, it took five hours before /. finally stopped displaying the slow down cowboy message. It claimed I posted more than 10 times in 24 hours. I don't think I've posted 10 times in the past three years! Bah!
Ideally you'd be able to roll over bandwidth for exactly one month as in subtracting the previous month's rollover at the end of the month. Your bandwith would be continously throttled to the rate at which you'd expend all of your bandwdth at the end of the month. Without rollover, the ISPs would have a huge sawtooth pattern in monthly load and one of the sides of the teeth being nearly vertical. The rollover is more for the benefit ofthe ISPs than anything, so is upstream port blocking, allowing ISPs to blockunwanted traffic at its boarders.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I'd like to see the same sort of blacklisting as applies to the smtp rbl/dnsbl. IP's which propagate attack traffic are blacklisted and denied access to services of participating hosts.
The simplest way to do this would be to just do it at the application layer, deny services on port :80, giving offending IP's the url of the blacklist site. It would have to be limited to TCP - based attacks, to eliminate address spoofing. Unlike open-relay problems, attack sources are not independently verifiable, so data would have to come from trusted sites/monitoring tools.
More sophisticated approaches could effectively cut such systems right off the net, send an 'admin-prohibited' ICMP or implement a distributed Tarpit, the range of technical solutions are more than adequate.
This could also be used to blacklist ISP's who refuse to police AUP's on their users.I think this would be a simple & effective way to put the onus on system owners (and in some cases ISP's) to get their act together.
Society requires all kinds of equipment and property be correctly maintained, be it your home, auto, boat or airplaine if it's not maintained and people get hurt as a result you're liable.
It's just a matter of time before the same sort of standards are generally required of systems connected to the 'Net. As a community we can choose to take the necessary steps on our own, or we can wait for the government to regulate it.
I certainly don't think the government solution will be one I want to deal with.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Statistically speaking, bandwidth spikes are to be expected. Sometimes they're just the result of a bunch of people doing something at the same time. Orher times, they're the result of a DDOS or just a heavy probe.
It's sometimes soooo eassssy for a sales droid to upsell alll of the advantages of a burstable link, without bothering to mention the more nasty impliccations. If you take it out of their hide (or better yet -- their comissions) every time an angry, uninformed, customer comes screaming into the ofice, I expect that exxplaining the cost implications of an umlimite connection will start to become stamdard practice..
Somebody else pointed out that -- if only for good customer relations, the first 'hit' should probably be on the ISP -- but attached to an educatin program. (what you can do, what you can't do, what to do about an attack). After that, however, "A drone's gotta do what a drone's gotta do."
OS Software is like love: The best way to make it grow is to give it away.
Why should anybody pay those outrageous prices? This is a case of false scarcity if there ever was one.
While your colo customers may be able to tell the undesired packet to "go away, nobody home", the point that needs to be made is that they have no way of preventing incomming traffic being charged, as it has to arrive at their server before any rules can be put in place to reject it, ergo, they get charged, even if their firewall setup stops the request cold in it's tracks. Hey, maybe just don't charged for un-ACK'd SYNs - There's a really bad pun in there somewhere =
I agree that it is their responsibility to monitor incomming traffic and alert you, the ISP, if it is getting out of hand, but it is an impossible cost in man-hours to monitor this constantly.
Maybe a good middle ground is similar to the approach Visa take with stolen credit-cards: If you are notified right away, you can implement the block at the ISP level, then yell at _YOUR_ upline providers about the clown sending unwanted traffic. Rinse and repeat untill it gets to the ISP of the problem-causing machine(s) and tell them to can it, but in the meanwhile, your client thinks you're a hero for stopping the flood of junk. If they don't notify you right off, then the longer they leave it, the greater their liability for the cost.
Another option is (and this would be a schite to implement) that all ISP's (and the connecting telecomunications parteners) change the pricing structure so that what the end-user is charged for is: Incomming Bandwidth on server-side initiated exchanges, and outgoing bandwidth on externally initiated exchanges.
I will admit that I have not fully thought that last suggestion through, as this does not really cover off things like FTP sites (Public or otherwise) that accept or encourage uploads. Hey, maybe we need a combination of the two? Dunno.
L8r!
-Trav
I should really get around to creating a sig.... Nah - too lazy =)
Literally knocking on the door? Somehow I think you're wrong.
it's the ISP's responsibility (or at least should be) to filter out huge well-known virri and simple DoS attacks. you don't need a complete IDS in place to block most of the crap out there. the ISPs can handle this, i just don't know why they're not. probably to make more money.
Since webhosters and site owners tend to be net generators of traffic rather than net suckers(like the end-user eyeballs that view them), maybe billing models based on traffic shipped rather than received would be beneficial. Ferinstance, look at some DDOS. That's inbound traffic and if the website operator would be liable for that inbound traffic bill, what incentive is there from the isp to thwart it? i.e. the slower they attempt to quell the attack, the more money they make. Conversely, if something like slammer hits the website operators installation and starts generating 50mbps of traffic of noise, it's to the site operators advantage to patch their box pronto, because there's a financial incentive. In a normal website operation, it isn't the httpget's that generate the bw, it's the responses that send all the html, gifs, jpgs, mpgs, flash, etc... It shouldn't be too much to take 'normal' inbound webtraffic into account into billing models and at the same time, help allocate responsibility of doing business on the internet to the appropriate parties.
negligence
I worked for awhile in telecom. For the most part, the expenses of the telephone company are fixed. You have switches and T1 connections going in and out. Those are fixed costs.
A telephone company would build a system for anticipated peak service and would add some room for expansion. As a result, the telephone company would build an expensive system with excess capacity.
Although costs were fixed, telecom companies would bill customers for time used. To do this, they would set a rate for normal usage that would be high enough to cover the costs of the peak usage network.
I imagine that the Internet is somewhat the same way. Internet companies build for peak usage and set a rate for normal usage that will cover the cost of the peak usage network.
The thing that happens in a DOS attack is that the DOS attack pushes the services used from the normal level to peak usage levels for a prolonged period.
Since most of the network's costs are fixed, the DOS attack really doesn't cost the network that much more. A DOS attack doesn't spontaneously generate more routers and fiber optic connections.
The end effect of the attack is that it screws up billing. Remember the normal usage rates are set high enough to cover the cost of peak capacity. The DOS attack creates a situation where the end user is suddenly being charged the rate calculated for normal usage at the volume of peak usage.
Now, I realize the Internet has an extremely layers of service provides. Many ISPs are just a middlemen paying metered rates. The ISP is caught in the same trap of screwed up billing. The cost of the ISP providers didn't go up during the attack.
The big bills for both the ISP and end user are the result of flaws in the billing and metering processes and not actual higher network costs. The challenge is to keep the charges from the DOS attack from screwing up the billing systems.
BTW, I do not mean to imply in this thread that DOS attacks are cost free. Just that the bandwidth consumed during the attack is really not costing the network that much more. The machines, cables and wires have more stuff going through them. The DOS attacks cost the the support people in the ISP time, and have a cost in lost opportunity, they also create billing nightmares. The DOS attack does not actually cost the real dollar amounts that suddenly appear on bills.
Conflict of Interest
And informative? This is an ethics issue. Some interestings and insightfuls could maybe work in this thread, but .. informative?!? You think my question is the Word Of God or something?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I think this is an important issue. Generally speaking there is an inherent conflict of interests between the backbone providers and ISPs that profit from DDOS, spam and other unwelcome traffic and their customers. This is in my opinion why the backbones aren't that responsive. They actually profit from bandwidth-hogging activity, whether authorized or not.
In the case of Sprint, if you are hit with a DOS attack, they will not get involved unless your pipe with them is saturated. Their corporate policy (and I belive this is the same with many backbone providers) is that unless your connection is thoroughly congested, they will not filter or address DOS issues. They directly profit from crap traffic that you didn't invite.
For this reason, I think it is imperative that all bandwidth users begin holding their ISPs and backbone providers responsible for rogue traffic. This is the only way to motivate them to address the issue, otherwise they are quite content with an ever-increasing array of security, spam and other bandwidth problems. Now if your insecure server is compromised and is a party in the attack, that's your problem, but inbound DOS attacks, spam and other traffic that eats up bandwidth should be something the ISPs and backbone providers should have to eat!
That sounds like a good way to kill the internet. Who's going to log on if they risk running up a $10,000 bill from some script kiddie who took over their machine?
As for the cost, the ISP doesn't just pass on the cost, they pass on the cost plus a tidy 70% profit margin.
I can't speak for most providers, but many do not have that kind of profit margine. If you count ONLY bandwidth -- and ignore manpower to configure and maintain servers, building leases, and the other overhead involved in providing hosting services -- then possibly, on bandwidth alone, there's some markup.
But ISPs aren't raking in millions of dollars by over-charging for bandwidth. There are a LOT of other costs involved that make the bandwidth fee seem almost negligable in comparison.
You want just bandwidth, with no supplied hardware, expertise, location, support, etc? You can probably then save 70% or more. Oh, but you want hardware, disk space, staff to maintain servers at five-nine's uptime, people to respond to emails at 2AM? Well, we need to increase the cost of service.
NGWave - Fast Sound Editor for Windows
Morons with their fucking spamware that attempt to use my machine as an open relay - they fucking try to pump through HUNDREDS of emails, and EACH AND EVERY ONE IS REJECTED - if those fucking retards would send one FUCKING test email, they'd know it's pointless to try and bounce off my mail server. But no, I get these fucking goddamn spikes in my bandwidth usage, and my bill$$ thanks to them.
Goddamn it! Stop fucking swearing!
There's a huge problem with this. Suppose the ISP has an OC-48. The day of an attack, the victim's server uses 75% (1.866 Gbps) of that OC-48. At $2/gigabyte, the victim would be responsible for $37,537.50 within 24 hours. On the other hand, if the ISP only had a T1, the victim would use 1.158Mbps at 75% utilization. That would come to $23.30 after 24 hours.
I would recommend a third option in which the customer can put a limit on the long-term transfer rate. Or cap the rate after they've transferred a certain amount of data. Based on your original proposal, the victim's liability would be based entirely on how big the ISP's pipe is (something the customer doesn't have a whole lot of control over).
Looking at the issue from another perspective, we are dealing with incoming traffic. Who sends that traffic? The ISP. Who sends to the ISP? Some backbone provider. Who sends to the backbone provider? Another ISP. Why should the end recipient pay for an attack, while all the middlemen make off like bandits?
Forcing the end user to eat the cost won't resolve anything, IMHO. Until someone whose voice will be heard, like ISPs, by the companies whose shoddy security help perpetuate things like these malicious virus steps up and says "you're hurting our bottom line" then nothing will get better.
And, yes, I'm looking towards Redmond... I mean... it's not my OSX box or your Linux box that's hammering people's dsl and cable modems...
I, unfortunately, am under Telstra's thumb in Australia and currently am experiencing mysterious usage spikes (some while I'm not even #@&*^ on line) so I may be biased. But I don't think making Joe Blow pay for this will do anything other than 'make Joe Blow pay for it', not solve anything.
- I am made of meat.
First, I must say anyone who pays for hosting based on bandwidth they get is stupid. Anyone can do ping -f IP_address for a night (for example a competitor). I refuse any offer for hosting, if it's counted by amount of bandwidth. I get billed by kbps (or mbps).
The second thing is what I believe is how a good contract should look. In contract I give to my customers, there's a clausule about such things. It means, client does not get billed excessively if such a disaster takes place, but I'm not responsible for the service not working 100% in this case. I believe it's fair to both sides.
So the real question is "who should pay for each unexpected bandwidth consumption event - the person who owned the site that got hit, or all customers, indirectly?" If the answer is "the person who owns the site", then if an individual becomes the victim of malicious or unpreventable attack, they lose out financially. This could be seen to be unfair. If the answer is "all customers", then all customers lose out financially from the actions of a few customers who fail to manage their sites properly. So if I completely fail to patch my SQL server, get hit by Slammer, and claim that that's an malicious attack and not my financial responsibility, then every other customer pays for my laziness. That could be seen to be unfair. The (apparently) fairest answer is a combination of the two - if I'm the victim of an attack, I shouldn't have to pay for the increased bandwidth and the whole community bears the cost; but if I fail to take appropriate action to prevent an attack/surge/whatever, it's my problem and I should bear the cost. However, that answer means that the ISP has to define the criteria for what consitutes appropriate action, then police that. Which costs them a lot of money. Which the whole community pays for :-)
Disclaimers:
1) I don't work for an ISP
2) I don't even have a website
therefore
3) I probably don't know what I'm talking about :-)
The way to resolve this is to allow customers limited ability to specify filtering restrictions on the ISP side of their connection. Effectively what you want is to allow customers to have access to a web based management console that can set policing/qos/etc rules on their inbound (network side) interface. You could have a couple of "dummy style" settings: (a) minimal protection, (b) medium level, (c) maximum ... etc, with indication of consequences of setting these levels. If the user chooses minimum protection then they must be aware of the consequences of anything coming through to their pipe - otherwise, if they want maximum protection, then their pipe looks like a proxy / firewall style dmz.
well I ask does it really cost anything to move numbers around through cables?? what exactly are they giving up apart from not charging someone $600 for going over their download limit? which is a small price to pay for keeping a customer..
...but then I also say make an ISP for geeks with minimal tech support so I dont have to pay for my dads 24 hr help line. And well if it can work in the supermarket (the volenteer work to shop deal)
apart from the initial cable roll out, what cost is there involved? tech support? electricity to power the computers? ummm, I say give everyone a flat rate for the net and let them transfer what they want..
RIP THE FALSE ECONOMY APART!
I transfer UPLOAD well over 1GB a month from my cable connection (3.4Mbit down, 1Mbit up). I pay a flat rate of 34.99 a month. I probably average 2-4GB down per month, since i'm always downloading new distros and such. My ISP (optimum online) has never contacted me about bandwith issues, nor do they say anything about how much you can use in a month. Is it not like this everywhere else? If I had to pay for my bandwith I'd be so depressed, and I'd probably *gasp* go back to dialup so that I'm not encouraged to use a lot of bandwith.
-zverg http://www.clauretano.com http://www.neonettechnologies.com
The telecom industry is in such bad shape these days that ISPs really have no choice but to eat the charges.
I'm not thinking so much for individuals, but for businesses; there is too much capacity right now chasing too few paying users.
If you won't eat it, some other hungrier ISP will, and I'll simply switch.
That may not be right in your eyes, but its the way it goes.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
If the net was "public space", I'd never pay an ISP for it, as he can't sell me what doesn't belong to him. That would be like some company charging the people for using public roads.
Best solution for the billing problem: as traffic produces no real cost, only flatrates should exist.
You should find a provider that bills by transfer rate rather than bytes transferred and is willing to set a cap on the rate for you. That way, your total liability cannot exceed the cap. They have no incentive to flood you then or exaggerate your usage since anything beyond what you expect would be their failure and their responsability, not yours.
Those are all interressting points you mention that make Inet inattractive both for IPSs and users. But there is more: Don't also forget about DMCA, insane Cybercrime laws (soon also in a european state near you) and the like.
What IMHO eventually - in a mid to long term - will happen is this: Other nets will rise again. Think of something remotely like a Fido II with one document standard, a per bandwith payment model, no anonymity and thus serious trouble for anyone who compromises the mutual benefit of such a net.
I'd rather join a net like that then be put to jail because somebody hacked my account and spread some killerworm over it.
We suffer more in our imagination than in reality. - Seneca
The previous posters are on the right track here with insurance. You offer subscribers a policy based (somehow?) on their relative risk of having unexpected bandwith spikes, and sell them coverage on that basis. The problem is, how do you know when their usage is really spiking, or just increasing as a normal part of their business? That's where averaging comes in. The power company in my area has a program whereby they average your usage over the previous year. Then, they charge you a flat monthly fee for the next year, based on your previous usage (plus some adjustment for inflation or whatever). If your actual usage is below the new estimated level, your monthly cost goes down for the next period to compensate. If your usage goes up, your monthly cost goes up. The evaluation period doesn't have to be as long as a year, of course; an ISP could average usage over a rolling 6 months, 3 months, or 2 weeks. This system helps businesses manage their costs and budget, and it keeps the ISP's from getting stuck with usage bursts just to keep a good customer. The customer covers the cost of the bursted bandwidth with insurance, or effectively self-insures and pays for a burst event when it happens. The ISP assumes less risk of unexpected costs, and should be able to provide service at an overall lower cost to customers (since they don't have to factor in unexpected, unpaid burst costs).
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
I have no problem with the ISP having to bite the cost of bandwidth especially when it comes to things like Slammer, etc.
I COMPLETELY disagree with the concept of public space and the user takes their risks. It doesn't cost me $70.00 (CDN) to walk in the park and I assume the risks of that action. I PAY $70 (CDN) for a certain level of bandwidth and service quality with very little risks.
Why should I pay for bandwidth that my network did not request. FOR EXAMPLE: on average I am billed for 300MB of traffic that my network or users never request. This calculation was done by reviewing OVERNIGHT usage logs (1AM - 7AM) which indicated approx. 9MB daily of unrequested traffic. This is traffic that is hitting my modem but not passing through my router so I can be sure its not being requested by my network.
While this unrequested traffic my seem small by many standards it is still unrequested traffic that is impacting my monthly bandwidth usage limit of 7GB or 12GB. I know some may think, hell its only 300MB but my point is I'm being limited by the total amount of traffic I can send and receive and if I do not request this traffic why should I pay for it.
That's like suggesting someone pay to watch the advertising on my TV because its in the same pipe as my television signal. Bullshit!
ISPs big and small need to grow up and start providing real service to their customers and STOP throwing their hands up, saying we only provide access! BULLSHIT! You provide access to a commodity and there is the VERY BIG difference. Ask AT&T!
And thats where M@'s at!
..is bullshit!
Gur svggrfg funyy fheivir lrg gur hasvg znl yvir. Jr zhfg ercrng.
And as a long time troll you really know what you are talking about.
If you're *co*locating servers with an ISP, you're entering a partnershiplike a lease. You're leasing space/power/bandwidth from them and promising to take care of things -- they promise to keep everything maintained. Both sides take risks and the risks are spelled out in the contract.
Every contract I've ever dealt with for a colo involves peak usage billing -- 95% percentile of average traffic is typical. Of course this is usually for a half rack, full rack, or cage -- not a single box. But that's been the deal at huge data centers (e.g. Exodus, RIP) and local ISPs(BNSI, my local colo provider).
They provide space, power, and bandwidth. I pay a flat rate for the space and power and a specified rate for the bandwidth -- my BNSI colo takes the higher of inbound or outbound 95% for the monthly charge.
I act as a good tenant -- I keep my boxes (even the windows ones) patched. I have a solid firewall. I put rate limiters on sites that need them. I monitor traffic. Everything a decent sysadmin does.
They act as a good landlord -- they keep things running, they notify me of problems, and they monitor their network well enough that I get a call when they notice (netsaint) my bandwidth spike, like when I upload 9 GB of data files for a client one evening.
We both act like responsible adults and everything is fine. Slammer's an excellent example -- one client at their site had an unpatched sql server -- sort of like letting the grass get 2 feet high in front of your rental house. The ISP cut them off, just like the landlord can step in and cut your grass if you're not maintaining it. Clients of mine at another site lost 6 hours of uptime because the ISP responded poorly to someone's unpatched box. Two days later, that ISP was hit by slammer on ANOTHER box. Not a good landlord -- they're not taking care of the properties they own.
A lot of the billing ideas in this discussion are intellectually sound but hard to implement in practivce -- I mean tracking each packet and throwing it in a particular category for billing? If the ISP is doing that, the costs are going to be $$$$ and those will be passed on. I don't want to pay that because I don't need it -- and the ISP shouldn't raise it's prices to solve a problem that's not really their problem.
So an incoming spike comes in -- I want a phone call/page where they ask me if that's OK. I'll even pay for the service. Whether it's a good (more business) or bad (hacker traffic) spike I need to react to it. I've got systems in place and they have systems in place. We're both good citizens. We both benefit. Max benefit for minimum work. I don't need to be charged properly for each packet -- I just need to be charged properly for my usage trends.
So write it into your contract -- don't use SQL Server, ask the ISP to block it outside your switch. Or keep the records yourself and contract with them to refund the bandwidth if you get excessive traffic you didn't and can't use. It's like saying "How about if I cut the grass and paint this rental house and you reimburse me the expenses if I do a professional job". Win/win for everyone. Clear terms. If I do a crappy painting job, I shouldn't get reimbursed, just like if I do a crappy record keeping job about packet traffic on the server I shouldn't get a refund.
Hacker attacks, etc, is part of the cost of doing biz on the Internet. You open a shop in real life, you deal with shoplifting -- you build it into your costs, either through higher security or anticipated "breakage" or whatever. I charge my clients more for SQL Server than MySQL not only because the license is much more expensive, but because the risks are higher from a security perspective. They'll be some breakage -- plenty of extra TCP 1433 on my firewall -- but it's built into the cost. As is the time I spend upgrading Windows 2000 and SQL Server. When you lease a house, you might call this normal wear and tear.
So it's a lease. Find a good landlord. Be a good tenant. Anticipate wear and tear. Build that into your budget.
If the bandwidth spike is the result of an insecure network by the client, they need to eat the cost, as they have indirectly incurred it. But if they were the victim of a DoS that involved packets originating from another ISP with source addresses spoofed as though they originated from the client network, I'd say the ISP needs to eat that; they should be ingress/egress routing. And when slammer hit, if they didn't have SQL servers accessible to the outside but got hit with enough scans to boost their charges...well, at that point I think the ISP needed to start filtering that port for a short time at their borders anyways (remember that that specific port was for purposes that are not likely over the internet without a VPN).
I think it ultimately comes down to whose negligence led to making the bandwidth-intensive attack possible.
For your security, this post has been encrypted with ROT-13, twice.
Comment removed based on user account deletion
For dedicated and co-location servers, I believe that the client should pay for all traffic that is leaving and entering the ISP's network for that server.
For shared sites, the client should only pay for open ports requested by the client (80, 21, 25).
If you hit 75% and it's only the middle of the billing period make big files inaccessable (video, sound, pdfs)
I can drop my site down to a text based theme if needed and the media manager can return 404 for the videos.
Suppose the case of a customer who runs a SMTP server. A spammer tries to connects to it, the server accepts. The spammer sends a few gig of spam to him, which procmail or something ends up throwing away. Technically, this is "solicited" since the user's machine did accept the connection. But it is abuse, and wasn't really "solicited" in the way that we humans normally think of it.
Modern MTAs accept the connection but reject blacklisted sites, or attempts to use them to relay when they're configured not to relay, before they get to the body of the email. So the rejected spammer can only chew up a little bandwidth on each connection. Rejected spammers are thus demoted to a DoS attack.
If a billing regime like the one I described becomes available, it will encourage the authors of MTAs to just refuse connections from blacklisted IP addresses, and temporarily blacklist any IP address that rapidly makes several consecutive spam attempts that are rejected.
Problem solved.
You know, that MTA hack might be a good idea even WIHTOUT the billing regime. It would cause open relays and ISPs catering to spammers to temporarily lose their outgoing mail connectivity whenever the spammers start up and the MTAs notice it. That will not only save resources on the MTA machine, but penalize open relays and SPAM-friendly ISPs, giving them added incentive to police their outgoing traffic.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way