Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?

rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"

analogous to water/electric company IMHO

[rdewald]

What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?

Re:analogous to water/electric company IMHO

[captain_craptacular]

Bad Analogy. The poster says customers dispute INCOMING bandwidth spikes. So the analogy would be more along the lines of someone sending a huge power surge through your lines un-announced and un-requested, then the power company attempting to charge you for it.

I lean towards the consumer not having to pay, considering they didn't request the traffic and are therefore not resonsible for it.

Re:analogous to water/electric company IMHO

[macrom]

It's different because stealing electricity is, in most place, a crime. If you can prove that your neighbor used your electric line to power his house, some sort of authority would go after the other party. Granted, your only recourse may be in small claims court, but you would still have a way to recoup your losses.

A virus or other Internet contaigon could come from somewhere waaaay outside your jurisdiction. If some server in China is constantly bombarding your incoming pipe with virus activity, bogus web requests, port scanning, etc. then you're stuck footing the bill.

With all of this said, I think ISPs should provide some sort of insurance to their burstable customers. You could get so much bandwidth per billing cycle but leave room for error in the event your customer can verify that they received "hacker traffic" or somesuch. Perhaps even build in clauses that say the end-user is required to notify the ISP of problematic access within a certain timeframe, that way they can take action further up the pipe to block said packets.

If a user, however, comes up at the end of the month and complains about lots of unwanted traffic, well, hire an admin to look after your connection and come see us next month.

Re:analogous to water/electric company IMHO

[Fishstick]

Yep, I was thinking along the same lines. It's like having a drinking fountain outside your house for public use - you are expecting amybe 10-20 gallons monthly as people stop by and have a quick sip. Then, you get all pissed when your water bill comes and 5,000 gallons show up when the circus comes to town and all the clowns have used your water fountain to fill all their water baloons. :-)

Do you then go ask for a credit from the utility because of the excessive/unexpected use?

Re:analogous to water/electric company IMHO

[Enry]

This is incoming bandwidth - that is, the customer may be fully patched, but the bursts are coming from outside the network. This would be more analagous to the electric company hitting sending 220V (or 440v) to your house for two days. Who's at fault, them for allowing a change in what is coming down the pipe, or you for not protecting each piece of equipment in your house? At best, it's a combination. The electric company should know better than to give you more than you know you need, and you should not rely on someone else to protect your gear.

The only way to really take care of this is to put a firewall in front of the box doing the metering. If the firewall rules are written properly, things like the MSSQL bug won't make it past the firewall.

Re:analogous to water/electric company IMHO

[luzrek]

build in clauses that say the end-user is required to notify the ISP of problematic access within a certain timeframe

This would be like dealing with stolen credit cards. When a credit card is stolen the owner gets 24 hours to report it and is only liable for $50. If they wait up to 72 hours, they are only liable for $500. I'm not sure what happens after that. This system protects both the credit card company and the credit card user by insuring prompt reporting of stolen credit cards and fraudulent activity (and can hopefully catch the crook). This system has worked fairly well.

The implications for ISPs and their customers for a similar system would be pretty interesting. The customers who actively monitor their network traffic and help to head off problems would be rewarded by being less liable for damage, while ISPs would be free to give the full bill to those who ignore their bandwidth usage. This system should lead to lower costs for the better customers and discurage neglegance possibly leading to better service for all.

Re:analogous to water/electric company IMHO

[DanEsparza]

I completely disagree. Bandwidth is analagous to people using roads (network connections). If roads are heavily used, they must be maintained, or they fall into disrepair. If network connections are heavily used, ISP's need capital to get bigger (or more) connections so that certain service levels can be maintained.

We don't live in an (entirely) communist world. We don't get to pass out resources indiscriminately. We have a fixed amount of resources, and as with any case of supply and demand, the person holding the supply can (and should) charge for using the resource. In the case of network bandwidth, the resource is not obvious, but it is still tangible: It is network equipment and opportunity costs.

Re:analogous to water/electric company IMHO

[rodney+dill]

Pick your analogy.

You can also use the analogy of junk faxes. Your machine is set up and the number is available for anyone to call, but people can be prohibited from using your resources by sending you junk faxes.

Though with out specific laws it probably comes down to contract and at that point it is probably buyer beware, whether you agree with it or not.

Re:analogous to water/electric company IMHO

[pclminion]

Do you then go ask for a credit from the utility because of the excessive/unexpected use?

For unexpected use, of course you can't demand a freebie, since it is understood that the fountain is for public use. However, suppose someone presses the button on the fountain and holds it for several hours without drinking anything. This seems like theft, to me.

Any service offered to the public has certain bounds within which it is expected to be used. People should have the authority to prevent others from abusing their services.

If someone is DOSing me, and I have no authority or technical capacity to stop their attack, then why should I pay for someone else's criminal behavior? If I immediately pull the plug on my network, call up the ISP to inform them, yet the packets still come cascading in... I have acted in good faith to do everything possible.

The current situation is like being able to watch the guy pressing the button on the fountain, and paying for the water, yet not being able to do anything to stop it. How can that be *my* fault?

Re:analogous to water/electric company IMHO

[Fishstick]

>my small scale situation may not translate to a large business account.

Exacly. Not even a large account. If you shut me off for the rest of the month, I've got a problem. I need to have my site accessible. I just want to pick and choose which access (legitimate) I want to pay for. ;-)

Someone else said the ISP should firewall off the "bad" traffic. Does the ISP then complain to its upstream provider about that bandwidth? Someone has to either pass on the cost of that bandwidth or eat it.

Where do you draw the line? You could argue that your ISP has no business charging you for inbound UDP packets to SQL server port (1443 was it?) since you expect to only provide http on port 80. Next month there is another virus/worm that causes another spike, but this time by flooding the net with bogus TCP traffic on port 80. Now do you try to get your ISP to take that off your bill because it was from a virus/worm?

Re:analogous to water/electric company IMHO

[Mirus+Nex]

That is to say that a) the customer is intelligent/experienced enough to know HOW to monitor the site and b) they monitor it on a regular basis (daily)...

If the service provider was nice at all they would provide a log or usage stats via email to the customer stating they are coming close to max bandwidth or a warning that they've exceeded their bandwidth.

The problem, however, is that most of these people are on dial up connections or are unqualified/unable to set them up at home and is why they use web hosting services anyway. Some blame goes to the customer because they didn't search around for a provider that offers these services.

I have Cable Modem service and don't use it's email or web hosting services even though they are free. I have a web server in my basement and I use zoneedit for DNS service (free up to 5 IPs) and have another server co-located for email which doesn't charge for bandwidth.

So, either you should search for a non-bandwidth charging service (you'll probably pay more /mo) or be faced with this possibility.

I liken it to flood insurance. The last few years the Northern MidWest (MN/Dakotas) experienced a lot of flooding. The people living on a flood plane bitched because their house flooded. So they rebuilt it and it flooded again 2 years later, though "scientists" stated floods only happen every 25 - 50 years... What do you expect living in a flood plane?

In this specific situation the ISP should be a little lenient and waive most of the fee which can be written off as a loss anyway . At which point the ISP should provide a specific clause, increase everyone's rate or fix their server to provide better monitoring capabilites and/or automated disabling, etc...

Sh*t happens... What's more important? Losing a few dollars one month or losing a few customers for life???

Re:analogous to water/electric company IMHO

[DunbarTheInept]

Presumably you don't know how internet clients and servers work. (Or you do, in which case you are deliberately arguing in favor of an unfair billing practice.) A website is a server. It sits around waiting for clients to connect. The site maintainer cannot stop clients from trying to connect. The most the maintainer can do is refuse to reply to those connection attempts. That's it. He can even take his server down entirely and that doesn't stop people from trying to hit it anyway and sending him HTTP requests that never get answered. For an example of this, we run Apache and even so people still kept trying to send us HTTP requests designed to exploit Microsoft's IIS webserver. We firewalled those addresses off, but our firewall kept reporting that those requests were still coming in. We couldn't stop them - the most we could do is give them the silent treatment.

What you are advocating is like claiming that you should pay the phone compnany for every time someone calls your phone, even if you don't answer it, even if you leave it off the hook, even if you leave it unplugged.

Re:analogous to water/electric company IMHO

[DunbarTheInept]

Firewalling doesn't solve the problem. By the time the packet reaches the ISP's customer, it's already been counted. Whether the customer replies to the request or denies it with negative feedback, or just ignores it - doesn't matter - it's already been passed through the ISP on the way to reach the customer, so they've already counted it.

If you hold the customer responsible, then people angry with that person can just drive up that person's cost by choosing to flood him.

Re:analogous to water/electric company IMHO

[poopdik]

Yep, I was thinking along the same lines. It's like having a drinking fountain outside your house for public use - you are expecting amybe 10-20 gallons monthly as people stop by and have a quick sip. Then, you get all pissed when your water bill comes and 5,000 gallons show up when the circus comes to town and all the clowns have used your water fountain to fill all their water baloons. :-)

Do you then go ask for a credit from the utility because of the excessive/unexpected use?

It would be as if the customer of a phone company were charged for all incoming calls, and then were signed up to millions telemarketing lists. There is too much chance of colusion and conspiracy between the people who charge for bandwidth, and the people who steal it. It reminds me a lot of virus writing/virus software vending or security consulting and exploit development. It's a dangerous situation and I think it should be fixed now before people take for granted that this is the way it will always be.

Users just won't pay

[drfuchs]

If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.

The customer always pays

[chrisseaton]

You could let them think that you were "eating the cost", but everyone ones it would simply be passed to the customers in the end.

Re:The customer always pays

[timeOday]

This argument is overused. If it were true, companies wouldn't balk at paying for things, which they invariably do.

But it's not true. If McDonalds loses $80 in a lawsuit to somebody burned with hot coffee, they *can't* just raise their prices to recoup; their prices were already set to maximize profit before. So what gives? Profit. McDonald's shareholders lose, not the public at large.

It's not the ISPs responsibility

[Mustang+Matt]

It sucks for them, but it's their server on the net and their responsibility to pay for the bandwidth used.

It's up to the ISP

If you are an ISP and you want to charge people for bandwidth caused by worms and DoS attacks, put that in your user agreement. If you are willing to swallow the cost of attacks, put that in your agreement. There's no need for regulations or insurance yet.

That depends on what service he has with you

[dawime]

Is he hosting something on your servers or he has a box co-located? I would say he is responsible if he has to administer his box - otherwise, the ISP should bear the costs

Were the patches applied?

A few different issues here:

- yes, in genral, they should be responsible for their bandwidth ... but if a big customers is going to walk over it, you need to make the right business decision
- even with something as simple as MRTG they should be able to have an idea of whether or not the service provider is billing correctly on burstable stuff
- if they haven't applied patches, then i can't see how a consumer of bandwidth could have any argument at all

It's in the contract

[eagle486]

The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.

Re:It's in the contract

There's no reason the customer should eat it either. He's not generating the traffic!

The ISP's business model is flawed because it relies on the fiction that the customer has reasonable control over his inbound bandwidth.

This flaw is why there is a dilemma. Either a pissed-off customer who takes his business elsewhere or the ISP grudgingly eats the cost. Remember, unless you have a monopoly, you can't abuse your customers.

The ISP has some options, though.
1) Set an agreed upon limit for legitimate traffic and shape it.
2) Deploy an IDS and reject queries from comprimised hosts
3) Sue owners of comprimised hosts to push the costs back to the generators of malicious requests.

In other words

[djKing]

Should /. pay the bill for the /. effect?

-Peace

simple

[sydlexic]

I think it's simple to say you're responsible for your outbound traffic. If your machines are compromised, you should eat the bill for the traffic they generate. On the other hand, if you receive some wave of unwanted inbound traffic, you should definitely not be liable. Even a dropped UDP packet takes bandwidth.

In fact, I'd prefer a pricing model that is fixed for inbound and metered on the outbound. It puts a financial burden on spammers, copyright violators and the tragic/stupid victims viruses. On the other hand, if you've got something to sell, you should be more than happy to pay for bandwidth used to move that merchandise.

Balanced response.

[gehrehmee]

Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.

Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.

This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.

If they're not willing to do what's required of them, they'll get stuck paying for it.

Re:Balanced response.

[johnnyb]

You're missing the point - you _can't_ protect yourself from incoming traffic. Period. Even if _you_ block it with a router or firewall, it has still come into the ISP and you are billed for it.

Liability = Incentive to be vigillant

[Edball]

You know, it seems to me that if Individuals are held liable for bandwidth issues stemming from malicious users, it provides a pretty good incentive to keep their systems up to date with the latest patches.

It also would cause Individuals to generate greater pressure on Distributors to get patches out and visible to the general public. If the general public took more of an interest in internet security, there'd potentially be much fewer DDos Zombies out there.

There's nothing quite as eye-opening as a huge bill sitting on the table staring back at you.

And that's my 2 cents.

A Blend of the two?

[rblancarte]

Perhaps the best solution would be to impliment a flat rate that under which, you would just pay a set amount per month. If you exceeded this, then you would pay on a burst billing method for the bandwidth beyond that.

The real question becomes where do you set the line? But that could be determined by the average user usage, perhaps a study could be done over the course of a few months to see where people fall on this whole thing.

RonB

Re:Simple policy

[sweetooth]

Protecting yourself from an attack, such as code red, doesn't mean it doesn't still eat bandwidth. It's the same with anything. I noticed today that my mail server was a little slugish. I sshd into it checked the logs and saw the same bastard attempting to send spam to the server and tons of rbl lookups were taking place. So I added the various ip's to the firewalls blacklist. So now the mail isn't processed, but whatever program they are using doesn't even bother to check to see if the mail is being accepted, it just keeps spamming. So, I'm still having a fairly large percentage of my bandwidth being eaten because of a very inconsiderate individual. Stopping code red was the same. At one point I was logging thousands of attempts every day. They were not successful, but they still ate the bandwidth.

I don't know what the solution to the problem is exactly. As it stands now I pay for any bandwidth used regardless of how or why it was used. It would be much better if those charges could be passed along to the person responsible for abusing your bandwidth, but how that could be enforced is beyond me.

One thing I have to note here is that the person posing the question is talking about INBOUND spikes not outbound. So your points are even less relevant.

Bad idea anyway

'Burstable' billing, or any other scheme for charging based on total traffic trasmitted, is a bad idea anyway. It creates additional overhead (and therefore cost) on the providers end, and unnecesarry paranoia for a customer.

Billing a fixed monthly amount for a particular rate of transfer is a much better option.. Eg, $400/mo, for a 2Mbit link (if its via a media that can go faster, rate-limit it to 2Mbit). No extra resources used to measure utilization, no surprises in the bill.

Re:It Depends

[josh+crawley]

---Blow them off and the only that you might get from them is the finger.

If they're part of an ISP, they probably have already got FINGERD.

Bad business

[Obiwan+Kenobi]

If you treat your customers like this, you're going to lose them. Simple as that.

I liked the analogy someone else came up with, such as someone running an extension cord from your house to theirs. Who is responsible here?

If I had hosting with your company, and the slammer bug hit servers that your sys admins failed to update, then you better eat that burstable bandwidth bill or a lawsuit couldn't be far behind (depending on the amount, of course). If the servers were my responsibility, including keeping them updated, etc, then I could understand your reasoning.

If a DDoS attack cripples my site, and you expect me to pay for that, you're sorely mistaken.

The simple fact is if they caused it, they paid for it. This includes patches/fixes the customer should've implemented. If you run and maintain that server for them, then no bill increase should be applied.

If someone out in the world caused it, a random malicious event that they just so happened to be on the brunt end of, just throw away that burstable bandwidth bill and make sure your customer knows you did them a favor.

It may not be your place as to pay for that second scenario, but you'll keep your customers longer, keep them happier and keep word of mouth on your company going strong.

It's just good business. Were this my company, I would never even think of treating customers this way.

How badly do you want to keep the customer?

[Matt_Bennett]

If you want to keep the customer, the first time it happens, you might want to forgive the excess bandwidth charges (while pointing out the specific clause in the contract that says you have every right to charge them), tell them that it's "for this time only," and make a record of it. This is the type of action that can inspire customer loyalty. If you want to keep customers, you need to find some ways to differentiate yourself from all your competitors. Since you're keeping records, you should be able to tell if a customer is just trying to abuse your policies.

You need to ask yourself- how much did the excess bandwidth really cost, and how much is this customer worth to me in the long run? Probably, keeping that customer will make far more impact on your company in the long term than if you charged them, pissed them off, and inspired them to switch to another ISP.

95th percentile model anyone?

I thought many bandwidth providers had moved to a 95th percentile model to bill for bandwidth. Ignore the top 5% of the usage samples for this month and bill at the customer's 95% usage. This means that any sudden spike doesn't count against your bandwidth. Lots of spikes, or a spike that is not handled within a day moves the 95th percentile way up.
Our upstreams bill us this way, and all of our burstable downstream customers are billed this way. It works well that way.

Re:Charge on sent traffic.

[wikthemighty]

Every ISP should base charges only on how much traffic you send.

What?

Maybe you're just oversyplifying, but wouldn't this charge me only for outbound data (like HTTP GET requests) and not for the gigabytes of pr0n I download every day?

Hypothetical situation, I Assure you! :)

Re:I say charge the customer

[bellings]

This risk can be removed by turning any of your equipment off

If they're being charged for incoming bandwidth (especially incoming UDP bandwidth like the slammer worm) then shutting off their server will not help.

As long as the router continues to send those packets to that IP, they'll keep getting those packets. It doesn't matter if the packets just fall off the end of an unplugged cable -- incoming bandwidth is incoming bandwidth is incoming bandwidth.

If I sent a huge SYN attack to your home DSL connection, and your machine crashes, are you responsible for the bandwidth before your machine goes down? Are you responsible for the bandwidth after your machine has crashed, but before the ISP's realized you're not on the other end anymore?

proof of malicious intent

[ShortSpecialBus]

unfortunately, there would have to be proof of malicious intent, or at LEAST a reasonable knowledge taht linking to the page would cause the business to lose money.
While /. would have a reasonable knowledge taht linking to the page will cause the page to load slowly, they don't know what sort of connection the page is on, nor is it their responsibility to find out.

The day anybody becomes liable for linking to a page on the internet will be the end of the world wide web...that's the whole premise of the thing...

The only thing I can think of is something similar to the robots.txt file...have your webserver have a slashdot.txt file that says something like NoSlashdotLinkage = true in it or something, anything similar to the thing for preventing search engines.

This is why...

[dills]

This is why we don't offer burstable connections.

You pay for capped bandwidth, and your bill never changes.

Andy

Re: Simple policy

[penguinboy]

That's not likely to be an acceptable solution when the computer in question is a server than your business depends on to make money. Not everyone one the net is a home user who can take a few hours' break at whim.

Treat it like they treat Phreaking...

[jsimon12]

If a phreaker biege boxes your home phone and runs up a huge bill who eats that cost?

The answer should equate to who should eat the cost of a DoS trojon.

Ironic...

[PhoenixK7]

One of the few slashdot stories without a link ;)

I feel this is an excellent time to discuss SLASHDOT'S moral obligations in linking. Certainly some shops can handle the amount of traffic that is sent their way by getting posted here, but in other cases the server gets hosed, the bandwidth bill goes through the roof, or worse! (remember the guy with the barcode entry system to his house?)

C'mon editors! At least make it so the front page links link to cached text copies sans images or something.

Security and responsibility.

[TitaniumFox]

Sure, this could ignite a thread about [insert software vender of your choice] and their hole-filled software with respect to how fast service patches come out, but it's not meant to. It's about the reality of technology and the responsibility that goes along with it. You want the privilage of live internet? I think you need to know the basics of networking and security first, because it's a public forum and what you do has an impact on others. Don't want to step up? I've got an AOL CD with your name on it.

The security of my computer (and therefore, my bandwidth) is my responsibility. The physical security of my house is my responsibility. What about my car at the parking lot? Most places say they're not liable. So...I take the responsibility of making sure my doors are locked (and taking the risk of an actual glass-break-in) if I want to shop at [department store]. Being live on the internet isn't much different. You're still traversing among the public, only now the population is MUCH bigger. As soon as I stick my Cat5 in the wall, security IS my responsibility. I don't buy the stance of "it's Microsoft's fault my box is insecure, and there was no patch." We're all adults. You run what you choose on your equipment, and that's your decision. My ISP runs wide open, and they make it known that there isn't any filtering and firewalling going on. They like to deal with the computer savy customer and encourage the use of a non-windows machine for your firewall, and have free classes on how to set it up. If my WinNetOpenBeOSFreeBSDLinuxBox gets hacked and there's a patch or a config file that I neglected to update/change/whatever, isn't it my responsibility? I think so... You take your lumps, learn, and do better next time. The internet, like the circus, is a place where the smart get sifted from the ignorant, and usually the ignorant get parted with their money. Pay your nickel (ie. know your network), ride the ride...otherwise, you're in Soviet Russia....

Legal Liability

What you may be interested in is where you stand legally. A RAND study made during the middle eighties (obviously not internet related) covering similar thefts returned the following conclusion.

In the case where the theft occured (mutually) from both a commercial and private victim, the commercial victim is generally assigned the majority of the loss because they are considered to have superior knowledge and been in a better position to have prevented the theft from taking place.

Since the theft was allowed by two enteties (the target Computer and the ISP servers that allowed the theft to take place), both entities would probably be apportioned a percentage of the cost.

Since this has never gone to court, there is no case material to set some form of guidelines.

My guess is that apportioning the entire blame to the customer (and billing them) would not hold up if the customer filed against you.

Depending on what measures your ISP has taken to prevent this type of abuse (filters, scanning, etc.) you could probably get away with some form of apportionment where the customer is billed for part of the cost.

Tom

I get What i Pay for

[visionsofmcskill]

ISP's should eat the costs.... If you provide me with a service that claims to provide me with a certain bandwidth.... then that is what i get.

Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault.

If you decide to enforce a D/L cap, i myself will not be your customer....

If i was the average joe who opted to take on that bandwidth cost then i would blame YOU the ISP for allowing malicous data to be replicated at obvious expense.... as in if a port is responsible for great amounts of malicous (repetitive, near obvious redundant packet exchanges indicitive of an attack, worm, or virus).

The whole thing is, as an isp... the service you provide should be a fully enclosed package... no hidden/additional costs. And bandwidth capping should not incur automatic additonal costs to the consumer after a limit is reached, it should result in a great limiting of bandwidth (after a certain amount is reached) or in a blocked connection (allow only the company's IP until the customer buys more bandwidth).

My personal opinion, we are getting dicked by the tele-comunications industry from the top down... everything from home phones, cable, cell phones, broadband, T1's and more are greviously over-priced at a near basement cost to the mother companies. By the time a consumer recieves their data the fixed price of hardware and the cost of ELECTRICTY has been multiplied ten-fold. Mid-Range ISP's are being squeezed by the big players, and in turn are having to offer misleadingly high "bandwidth" speeds with BullShit Capping.

Downloading megabytes into your cell-phone doesnt cost sprint shit, but youll have to pay 1.00 per DL.

Of course the tel-co's are screaming bloody murder about their losses, but it isn't from data rates.


As a last note.... when we were all using 56kbps modems you could DL for days on end... you could call your local BBS and be charged a phone call while DLing full-speed for hours.... No extra cost... didn't cost them a thing since we payed for the phone-call.... Now that High-Speed is in the home.... and the tel-co's found they could save even more money by offering bandwidth speeds based on diluted averages of many users, they think it's fair to make more money by punishing those who ACTUALY USE THEIR bandwidth. Bandwidth which is only ELECTRICTY. Do you honestly think Time warner can offer 500 channels of digital cable, with "on demand" channels (where you can choose a movie and play it immedietly) for 60$ bucks a month and not provide that same (nearly continuous) data rate to internet connections?

luckily.... with the advent of online movies, music and application servers and such, soon even joe email will be needing a constant high-speed connection.

Just my two cents.... VISION
--Enter The Sig--

Re:I get What i Pay for

[man_ls]

Burstable bandwidth means you're paying for this much - but if your server for some reason needs more, instead of being screwed and dropping connections, your server gets more bandwidth, which you pay for.

Good for low-useage servers with very short spikes of popularity.

You've just said that the ISP should eat the cost of the extra bandwidth...why? You agreed to burstable charges...they gave you more in advance, on condition you would pay for it with your next bill.

"Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault."

"If you decide to enforce a D/L cap, i myself will not be your customer...."

With that type of an attitude, you're saying you are entitled to unlimited bandwidth. The datacenter has an OC-48 into it...does that mean you're entitled to that? Not unless you paid for it...

The network has the capability to deliver high speeds, but if you didn't pay for that speed you're not entitled to it any more than someone who doesn't have the service at all is.

Re:Here's the problem Jerky...

[Jim+Ethanol]

First off, you said your self that you work for a big ISP. That means that they have the resources to pay someone like you to monitor this type of thing. That's not the case for "Joe 4U" that just has a couple of boxes in a rack.

Second, I said DOS... and I said INCOMING. If someone pulls your subnets from ARIN and starts doing variable UDP DDOS attacks against oh.. I dunno say your DNS servers... what are you going to do? Shut down DNS? Block all UDP? I think not.

The point key point I'm making is that I can make you eat a packet. If it's UDP, I can spoof my source address, so good luck blocking it by IP. Give me you're IP's and I'll show you want I mean ;)

I own a small networking company that subleases space out of Exodus locations. And I'm telling you, it's not feasible to ask the average CoLo customer to do 24hr bandwidth monitoring, and real-time assessment of threats / packetshaping. When "Joe 4U" is asleep for 8 hours and his box is getting 100Mbits per second in DDOS traffic. There's a problem.

The ISP has the resources and the expertise to solve the problem. It amounts to signing users up to an agreement that allows the ISP to "automatically" take action to prevent this type of unintentional bandwidth usage in the even that they can not contact the customer. Then you block it upstream and Joe 4U doesn't have to take you to court for his $10,000 bill.

-JE

nat'l boundaries

[robi2106]

Argument extends ParentPost
{ //assuming ISP A and user X exist in USA
ISP B = new ISP(ISP_in_RUSSIA);
User Y = new User(I_don't_give_a_rip-Spammer);

Screw(A, X);

}

robi

Solvable through bandwidth throttling

[Jeremi]

Instead of shutting down high bandwidth users or charging them extra fees, the ISPs should just prioritize packets: the more bandwidth a user uses, the more his packets get deprioritized. That way the heavy users get to use all the "leftover bandwidth" that the light users didn't use, and the light users get priority (and hence, good network performance).

Such a setup would allow for full utilitization of the network bandwidth and avoid all the hassle of pissing people off by sending them extra bills or suspending their account.

Burst and 95th Percentile

I have been designing and operating large service provider networks for nearly ten years. This topic has been fiercely debated among my peers, so for further background I recommend that you check the mailing list archives at http://www.nanog.org.

For flooding attacks and mass vulnerabilities, there is no doubt in my mind that this is the responsibility of the service provider. In fact, if service providers would cooperate by implementing sound routing policy, most of the flooding attacks on the internet would be eliminated as a whole. Its simple: Do not forward a packet originating in your AS unless said packet is from your address space. The customer *already* pays for the ability to burst, hence 95th percentile billing.

As for other attacks, I think that compromised hosts on a customers network are the customers responsibility. Get owned, and pay the bill. Service providers have no business dictating customer security policy if the internet is to remain an open medium.

Why are we paying 2 times on same packet?

[Fallen+Kell]

Just wondering this. If the person sending the packet pays a bill for that packet and the person recieving that packet also pays a bill, they are both paying on that same packet. Why not just shift the price so that only sending packets are paid for?

I know its a stupid question, but why not? Other then the fact that somewhere someone is saying "Shit, people finally woke up and realized they are paying twice for the same thing, there goes half our revenue." Why ARE we paying twice? Either pay for outgoing, or pay for incomming. If somewhere someone already paid to send that packet to the net, then the reciver should not have to pay for recieving that packet, or vice-versa.

The only real problem I can see with this is that you have clients and you have servers. With clients sending few packets to recive back several thousands (or millions). A new pricing model should really be setup for the whole system, but that will never happen unless everyone stops making money off the current system.

Real world not like posts on /.

[Hornstar]

What many posts in this thread do not seem to take into account is the greater reality that is the web. With a completely patched server and firewalling that drops packets not desired to hit said server, incoming bandwidth is changed none-whatsoever. You have zero control over traffic until that traffic hits a device under your direct control. With most ISP's, that device can only be placed well past their traffic monitoring point. Ergo, you pay for bandwidth whether you want it or not.

You do have the ability to reduce the total amount of bandwith consumed by dropping unwanted return connections but that may be irrelevant if your site is subjected to a DDoS attack.

The largest problem lies in determining whether traffic is "legitimate" traffic BEFORE it passes through the ISP's network to the client. That said, there are a great many possible ways to accomplish this, such as:

• Historical traffic pattern comparisons: A connection that has never received a UDP packet in its history may not suddenly want 2Gb worth of UDP queries. That traffic can be dropped (or at least throttled) to minimize customer impact.
• Customer specified port use: Offer co-lo customers the ability to limit port access at the ISP router, offer to limit basic Internet Service customers to standard outgoing ports at same.
• Reality-based connection management: An amalgam of the above, if a client machine suddenly starts generating continuous outgoing connections to web servers, it might be possible that the client does not want to view 400 porn sites per minute. Use logic and reason to control outgoing and incoming traffic.

The above are merely ideas or concepts, I will leave implementation to those that require the features. But it gives a good idea of the directions that an ISP can go to mitigate the costs of unwanted bandwidth. Just like Credit Card companies will call a customer to verify that they really do want to purchase that Tiffany diamond in a State they've never visited before, maybe ISP's should be monitoring traffic for irregular patterns and contacting customers to verify that the traffic is legitimate.

ISP's can't merely turn a blind eye when the entire netblock they serve starts sending or receiving traffic generated by the latest worm, virus, etc. They should do their best to mitigate their losses and losses of their customers.

I'm not saying that customers are without blame, just that the people running ISP's may have more technical knowledge that that of their customers and should be proactive in protecting those customers from further harm. If you want a real-world, non-technical example, think Firestone and Ford. A problem created outside of Ford that could have been eliminated before reaching the customer if only greater due dilligence had been used. By ignoring or overlooking the problem (I don't know the exact details) both Ford and its customers were negatively impacted. Was it Ford's fault that the tires were faulty? No. Could they have done something about the tires earlier? Possibly. Could the customer do something about the tires? Yes, but only after they knew of the problem by experiencing the negative consequences.

The scenario doesn't differ much when applied to unwanted bandwidth. If ISP's fail to do their part, unwitting customers will always suffer.

Make it work like credit card liability.

[Above]

This is like having your credit card stolen. If you notice, and notify the company promptly so they can start blocking charges then you are only out $50 (and sometimes they even waive that). However if you don't notice until your bill comes at the end of the month that it's been gone for a whole month, then you're out the whole amount.

Same thing for bandwidth. If the customer notices a problem and notifies the ISP so they can take steps to block / track the attack then they shouldn't have to pay. However, if they are too lazy to monitor their own gear, and/or call the ISP they deserve every dollar they get charged. The customer needs to be a partner with the ISP in fighting these sorts of things, otherwise the ISP never has a chance to catch the real criminals.

Of course, all this is for medium size and up ISP customers. Smaller businesses and/or individuals may just want a "turn it off if it goes above x" until I call model, which is completely reasonable.

How about I actually get the bandwidth I pay for?

[Egekrusher2K]

Ok. When I pay for 768 kbs up/down, I want to be able to utilize that bandwidth ALL THE TIME. I don't want to be capped at 30GB worth of file transfers a month, when I could, theoretically, push 312.5 GB of file transfers (one way!). I want what I pay for, NOT what the ISP feels like giving me AFTER I've already given them my money for an allotted amount of bandwidth per second. When I first signed up for cable, there WASN'T anything in the contract stating that there was a monthly limit on file transfers. I didn't know until I got a call from my ISP saying that they "could" charge me $2,000 dollars for my bandwidth "ABUSE" *cough use*. I then went back and re-read the contract.. it appears as if it was added in AFTER I signed up.

The "Mall" analogy

[digital+photo]

It's a tough problem. You don't want your ISP playing God. Yet, you don't want to pay for unexpected bandwidth.

That's like saying you only want good bandwidth and none of the bad bandwidth. :)

Let's use a Mall analogy:

You build a shopping mall. There are roads leading into your mall. The city maintains the roads, but the parking lot and accessways into the malls and shops are maintained by you, the site owner.

If you get alot of paying customers coming and they jam up your parking lots and driveways and walkways with cars and people who are willing to pay, you don't say anything because you're getting money.

However, let's say you get alot of non-paying traffic. A large group of people decide to find a place to gather and organize and decide on your mall. They take up your parking spaces and take up the chairs in your food court or block walkways while they chat. No money being earned.

It's still traffic, but it is traffic you don't want. You still have to pay the electric bills and road maintenance. But you don't get compensated.

Who should foot the bill for your losses?

Seriously, the customer should monitor their systems and when they detect anomalies, should be able to work with their ISP to have the traffic in question blocked off. In the event of a DDOS/DOS, then they should seriously consider taking their system off the pipe.

ISPs should see this as a profit potential. I mean, offer your customers content based filtering. Let them setup their own filters and provide assistance service contracts.

In the end, the ISPs will make extra money, customers will feel more supported, and the network bandwidth will be better utilized.

As for the Mall, if there are people taking up space to the point of disturbing your business, it may be time to call in the police.

Customers and Providers really need to work together instead of pointing the finger.