Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?

Posted by Cliff on from the stuff-to-talk-about dept.

rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"

24 of 595 comments (clear)

  1. analogous to water/electric company IMHO by rdewald · · Score: 5, Insightful

    What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?

    --
    The best way to do is to be.
    1. Re:analogous to water/electric company IMHO by captain_craptacular · · Score: 5, Insightful

      Bad Analogy. The poster says customers dispute INCOMING bandwidth spikes. So the analogy would be more along the lines of someone sending a huge power surge through your lines un-announced and un-requested, then the power company attempting to charge you for it.

      I lean towards the consumer not having to pay, considering they didn't request the traffic and are therefore not resonsible for it.

      --
      They who would give up an essential liberty for temporary security, deserve neither liberty nor security
    2. Re:analogous to water/electric company IMHO by Fishstick · · Score: 5, Insightful

      Yep, I was thinking along the same lines. It's like having a drinking fountain outside your house for public use - you are expecting amybe 10-20 gallons monthly as people stop by and have a quick sip. Then, you get all pissed when your water bill comes and 5,000 gallons show up when the circus comes to town and all the clowns have used your water fountain to fill all their water baloons. :-)

      Do you then go ask for a credit from the utility because of the excessive/unexpected use?

      --

      There is much cruelty in the universe, John.
      Yeah, we seem to have the tour map.

    3. Re:analogous to water/electric company IMHO by luzrek · · Score: 4, Insightful
      build in clauses that say the end-user is required to notify the ISP of problematic access within a certain timeframe

      This would be like dealing with stolen credit cards. When a credit card is stolen the owner gets 24 hours to report it and is only liable for $50. If they wait up to 72 hours, they are only liable for $500. I'm not sure what happens after that. This system protects both the credit card company and the credit card user by insuring prompt reporting of stolen credit cards and fraudulent activity (and can hopefully catch the crook). This system has worked fairly well.

      The implications for ISPs and their customers for a similar system would be pretty interesting. The customers who actively monitor their network traffic and help to head off problems would be rewarded by being less liable for damage, while ISPs would be free to give the full bill to those who ignore their bandwidth usage. This system should lead to lower costs for the better customers and discurage neglegance possibly leading to better service for all.

      --

      Galium Arsenide is the material of the future, and always will be.

    4. Re:analogous to water/electric company IMHO by DanEsparza · · Score: 5, Insightful
      I completely disagree. Bandwidth is analagous to people using roads (network connections). If roads are heavily used, they must be maintained, or they fall into disrepair. If network connections are heavily used, ISP's need capital to get bigger (or more) connections so that certain service levels can be maintained.

      We don't live in an (entirely) communist world. We don't get to pass out resources indiscriminately. We have a fixed amount of resources, and as with any case of supply and demand, the person holding the supply can (and should) charge for using the resource. In the case of network bandwidth, the resource is not obvious, but it is still tangible: It is network equipment and opportunity costs.

    5. Re:analogous to water/electric company IMHO by rodney+dill · · Score: 3, Insightful

      Pick your analogy.

      You can also use the analogy of junk faxes. Your machine is set up and the number is available for anyone to call, but people can be prohibited from using your resources by sending you junk faxes.

      Though with out specific laws it probably comes down to contract and at that point it is probably buyer beware, whether you agree with it or not.

      --

      Use your head, can't you, use your head,
      You're on earth, there's no cure for that       - S. Beckett
    6. Re:analogous to water/electric company IMHO by Fishstick · · Score: 3, Insightful

      >my small scale situation may not translate to a large business account.

      Exacly. Not even a large account. If you shut me off for the rest of the month, I've got a problem. I need to have my site accessible. I just want to pick and choose which access (legitimate) I want to pay for. ;-)

      Someone else said the ISP should firewall off the "bad" traffic. Does the ISP then complain to its upstream provider about that bandwidth? Someone has to either pass on the cost of that bandwidth or eat it.

      Where do you draw the line? You could argue that your ISP has no business charging you for inbound UDP packets to SQL server port (1443 was it?) since you expect to only provide http on port 80. Next month there is another virus/worm that causes another spike, but this time by flooding the net with bogus TCP traffic on port 80. Now do you try to get your ISP to take that off your bill because it was from a virus/worm?

      --

      There is much cruelty in the universe, John.
      Yeah, we seem to have the tour map.

    7. Re:analogous to water/electric company IMHO by DunbarTheInept · · Score: 4, Insightful

      Firewalling doesn't solve the problem. By the time the packet reaches the ISP's customer, it's already been counted. Whether the customer replies to the request or denies it with negative feedback, or just ignores it - doesn't matter - it's already been passed through the ISP on the way to reach the customer, so they've already counted it.

      If you hold the customer responsible, then people angry with that person can just drive up that person's cost by choosing to flood him.

      --

      Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  2. Users just won't pay by drfuchs · · Score: 5, Insightful

    If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.

  3. The customer always pays by chrisseaton · · Score: 3, Insightful

    You could let them think that you were "eating the cost", but everyone ones it would simply be passed to the customers in the end.

    1. Re:The customer always pays by timeOday · · Score: 3, Insightful
      This argument is overused. If it were true, companies wouldn't balk at paying for things, which they invariably do.

      But it's not true. If McDonalds loses $80 in a lawsuit to somebody burned with hot coffee, they *can't* just raise their prices to recoup; their prices were already set to maximize profit before. So what gives? Profit. McDonald's shareholders lose, not the public at large.

  4. It's not the ISPs responsibility by Mustang+Matt · · Score: 3, Insightful

    It sucks for them, but it's their server on the net and their responsibility to pay for the bandwidth used.

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  5. It's in the contract by eagle486 · · Score: 5, Insightful

    The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.

  6. In other words by djKing · · Score: 5, Insightful

    Should /. pay the bill for the /. effect?

    -Peace

    --
    Free as in "the Truth shall set you..."
  7. Balanced response. by gehrehmee · · Score: 5, Insightful

    Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.

    Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.

    This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.

    If they're not willing to do what's required of them, they'll get stuck paying for it.

    --
    "You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
  8. Re:Simple policy by sweetooth · · Score: 5, Insightful

    Protecting yourself from an attack, such as code red, doesn't mean it doesn't still eat bandwidth. It's the same with anything. I noticed today that my mail server was a little slugish. I sshd into it checked the logs and saw the same bastard attempting to send spam to the server and tons of rbl lookups were taking place. So I added the various ip's to the firewalls blacklist. So now the mail isn't processed, but whatever program they are using doesn't even bother to check to see if the mail is being accepted, it just keeps spamming. So, I'm still having a fairly large percentage of my bandwidth being eaten because of a very inconsiderate individual. Stopping code red was the same. At one point I was logging thousands of attempts every day. They were not successful, but they still ate the bandwidth.

    I don't know what the solution to the problem is exactly. As it stands now I pay for any bandwidth used regardless of how or why it was used. It would be much better if those charges could be passed along to the person responsible for abusing your bandwidth, but how that could be enforced is beyond me.

    One thing I have to note here is that the person posing the question is talking about INBOUND spikes not outbound. So your points are even less relevant.

  9. Bad business by Obiwan+Kenobi · · Score: 4, Insightful

    If you treat your customers like this, you're going to lose them. Simple as that.

    I liked the analogy someone else came up with, such as someone running an extension cord from your house to theirs. Who is responsible here?

    If I had hosting with your company, and the slammer bug hit servers that your sys admins failed to update, then you better eat that burstable bandwidth bill or a lawsuit couldn't be far behind (depending on the amount, of course). If the servers were my responsibility, including keeping them updated, etc, then I could understand your reasoning.

    If a DDoS attack cripples my site, and you expect me to pay for that, you're sorely mistaken.

    The simple fact is if they caused it, they paid for it. This includes patches/fixes the customer should've implemented. If you run and maintain that server for them, then no bill increase should be applied.

    If someone out in the world caused it, a random malicious event that they just so happened to be on the brunt end of, just throw away that burstable bandwidth bill and make sure your customer knows you did them a favor.

    It may not be your place as to pay for that second scenario, but you'll keep your customers longer, keep them happier and keep word of mouth on your company going strong.

    It's just good business. Were this my company, I would never even think of treating customers this way.

  10. 95th percentile model anyone? by Anonymous Coward · · Score: 3, Insightful

    I thought many bandwidth providers had moved to a 95th percentile model to bill for bandwidth. Ignore the top 5% of the usage samples for this month and bill at the customer's 95% usage. This means that any sudden spike doesn't count against your bandwidth. Lots of spikes, or a spike that is not handled within a day moves the 95th percentile way up.
    Our upstreams bill us this way, and all of our burstable downstream customers are billed this way. It works well that way.

  11. proof of malicious intent by ShortSpecialBus · · Score: 4, Insightful

    unfortunately, there would have to be proof of malicious intent, or at LEAST a reasonable knowledge taht linking to the page would cause the business to lose money.
    While /. would have a reasonable knowledge taht linking to the page will cause the page to load slowly, they don't know what sort of connection the page is on, nor is it their responsibility to find out.

    The day anybody becomes liable for linking to a page on the internet will be the end of the world wide web...that's the whole premise of the thing...

    The only thing I can think of is something similar to the robots.txt file...have your webserver have a slashdot.txt file that says something like NoSlashdotLinkage = true in it or something, anything similar to the thing for preventing search engines.

    --
    //FIXME: Bad .sig
  12. Re: Simple policy by penguinboy · · Score: 3, Insightful

    That's not likely to be an acceptable solution when the computer in question is a server than your business depends on to make money. Not everyone one the net is a home user who can take a few hours' break at whim.

  13. Legal Liability by Anonymous Coward · · Score: 3, Insightful

    What you may be interested in is where you stand legally. A RAND study made during the middle eighties (obviously not internet related) covering similar thefts returned the following conclusion.

    In the case where the theft occured (mutually) from both a commercial and private victim, the commercial victim is generally assigned the majority of the loss because they are considered to have superior knowledge and been in a better position to have prevented the theft from taking place.

    Since the theft was allowed by two enteties (the target Computer and the ISP servers that allowed the theft to take place), both entities would probably be apportioned a percentage of the cost.

    Since this has never gone to court, there is no case material to set some form of guidelines.

    My guess is that apportioning the entire blame to the customer (and billing them) would not hold up if the customer filed against you.

    Depending on what measures your ISP has taken to prevent this type of abuse (filters, scanning, etc.) you could probably get away with some form of apportionment where the customer is billed for part of the cost.

    Tom

  14. I get What i Pay for by visionsofmcskill · · Score: 3, Insightful

    ISP's should eat the costs.... If you provide me with a service that claims to provide me with a certain bandwidth.... then that is what i get.

    Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault.

    If you decide to enforce a D/L cap, i myself will not be your customer....

    If i was the average joe who opted to take on that bandwidth cost then i would blame YOU the ISP for allowing malicous data to be replicated at obvious expense.... as in if a port is responsible for great amounts of malicous (repetitive, near obvious redundant packet exchanges indicitive of an attack, worm, or virus).

    The whole thing is, as an isp... the service you provide should be a fully enclosed package... no hidden/additional costs. And bandwidth capping should not incur automatic additonal costs to the consumer after a limit is reached, it should result in a great limiting of bandwidth (after a certain amount is reached) or in a blocked connection (allow only the company's IP until the customer buys more bandwidth).

    My personal opinion, we are getting dicked by the tele-comunications industry from the top down... everything from home phones, cable, cell phones, broadband, T1's and more are greviously over-priced at a near basement cost to the mother companies. By the time a consumer recieves their data the fixed price of hardware and the cost of ELECTRICTY has been multiplied ten-fold. Mid-Range ISP's are being squeezed by the big players, and in turn are having to offer misleadingly high "bandwidth" speeds with BullShit Capping.

    Downloading megabytes into your cell-phone doesnt cost sprint shit, but youll have to pay 1.00 per DL.

    Of course the tel-co's are screaming bloody murder about their losses, but it isn't from data rates.


    As a last note.... when we were all using 56kbps modems you could DL for days on end... you could call your local BBS and be charged a phone call while DLing full-speed for hours.... No extra cost... didn't cost them a thing since we payed for the phone-call.... Now that High-Speed is in the home.... and the tel-co's found they could save even more money by offering bandwidth speeds based on diluted averages of many users, they think it's fair to make more money by punishing those who ACTUALY USE THEIR bandwidth. Bandwidth which is only ELECTRICTY. Do you honestly think Time warner can offer 500 channels of digital cable, with "on demand" channels (where you can choose a movie and play it immedietly) for 60$ bucks a month and not provide that same (nearly continuous) data rate to internet connections?

    luckily.... with the advent of online movies, music and application servers and such, soon even joe email will be needing a constant high-speed connection.

    Just my two cents.... VISION
    --Enter The Sig--

    --
    --Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
    1. Re:I get What i Pay for by man_ls · · Score: 3, Insightful

      Burstable bandwidth means you're paying for this much - but if your server for some reason needs more, instead of being screwed and dropping connections, your server gets more bandwidth, which you pay for.

      Good for low-useage servers with very short spikes of popularity.

      You've just said that the ISP should eat the cost of the extra bandwidth...why? You agreed to burstable charges...they gave you more in advance, on condition you would pay for it with your next bill.

      "Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault."

      "If you decide to enforce a D/L cap, i myself will not be your customer...."

      With that type of an attitude, you're saying you are entitled to unlimited bandwidth. The datacenter has an OC-48 into it...does that mean you're entitled to that? Not unless you paid for it...

      The network has the capability to deliver high speeds, but if you didn't pay for that speed you're not entitled to it any more than someone who doesn't have the service at all is.

  15. Real world not like posts on /. by Hornstar · · Score: 3, Insightful

    What many posts in this thread do not seem to take into account is the greater reality that is the web. With a completely patched server and firewalling that drops packets not desired to hit said server, incoming bandwidth is changed none-whatsoever. You have zero control over traffic until that traffic hits a device under your direct control. With most ISP's, that device can only be placed well past their traffic monitoring point. Ergo, you pay for bandwidth whether you want it or not.

    You do have the ability to reduce the total amount of bandwith consumed by dropping unwanted return connections but that may be irrelevant if your site is subjected to a DDoS attack.

    The largest problem lies in determining whether traffic is "legitimate" traffic BEFORE it passes through the ISP's network to the client. That said, there are a great many possible ways to accomplish this, such as:

    • Historical traffic pattern comparisons: A connection that has never received a UDP packet in its history may not suddenly want 2Gb worth of UDP queries. That traffic can be dropped (or at least throttled) to minimize customer impact.
    • Customer specified port use: Offer co-lo customers the ability to limit port access at the ISP router, offer to limit basic Internet Service customers to standard outgoing ports at same.
    • Reality-based connection management: An amalgam of the above, if a client machine suddenly starts generating continuous outgoing connections to web servers, it might be possible that the client does not want to view 400 porn sites per minute. Use logic and reason to control outgoing and incoming traffic.

    The above are merely ideas or concepts, I will leave implementation to those that require the features. But it gives a good idea of the directions that an ISP can go to mitigate the costs of unwanted bandwidth. Just like Credit Card companies will call a customer to verify that they really do want to purchase that Tiffany diamond in a State they've never visited before, maybe ISP's should be monitoring traffic for irregular patterns and contacting customers to verify that the traffic is legitimate.

    ISP's can't merely turn a blind eye when the entire netblock they serve starts sending or receiving traffic generated by the latest worm, virus, etc. They should do their best to mitigate their losses and losses of their customers.

    I'm not saying that customers are without blame, just that the people running ISP's may have more technical knowledge that that of their customers and should be proactive in protecting those customers from further harm. If you want a real-world, non-technical example, think Firestone and Ford. A problem created outside of Ford that could have been eliminated before reaching the customer if only greater due dilligence had been used. By ignoring or overlooking the problem (I don't know the exact details) both Ford and its customers were negatively impacted. Was it Ford's fault that the tires were faulty? No. Could they have done something about the tires earlier? Possibly. Could the customer do something about the tires? Yes, but only after they knew of the problem by experiencing the negative consequences.

    The scenario doesn't differ much when applied to unwanted bandwidth. If ISP's fail to do their part, unwitting customers will always suffer.