Slashdot Mirror
Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?
rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"
What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?
The best way to do is to be.
Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.
Alas, unless every ISP participated, this model wouldn't work well.
If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.
You could let them think that you were "eating the cost", but everyone ones it would simply be passed to the customers in the end.
Keep up to date on current worms and other bandwidth threats. Notify your customers about these threats, and provide information on how to eliminate or reduce the impact.
Any massive bandwidth they log after that, is their responsibility. You notified them, and they did not listen.
After a few incidents like that, they will start to listen to your warning messages.
...
It sucks for them, but it's their server on the net and their responsibility to pay for the bandwidth used.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Is he hosting something on your servers or he has a box co-located? I would say he is responsible if he has to administer his box - otherwise, the ISP should bear the costs
|>
The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.
Should /. pay the bill for the /. effect?
-Peace
Free as in "the Truth shall set you..."
Considering the variety of bandwidth providers, acceptable terms of service(TOS) and all that, eventually, it will become a matter of taste, preference and terms that can be agreed with. How many subscribers want traffic shaping, inbound or outbound on their interface? Wouldn't customers PAY for making sure that the only traffic spikes they can get are mail or http related? I'm sure a lot of my hosting clients would love a system where they pay for the bandwidth they use, but that limits are in place to make sure excessive bandwidth usage is actually the usage they pay for.
Since DiffServ and other standards based solutions are ready to be implemented, perhaps you should consider talking to your most whiney clients about it?
Yes I know it doesn't apply to all clients, and not every provider has the extra router/switch cpu power to implement them on all links...
But wouldn't such a solution be a good way to keep the more demanding clients(increasing the value they get: bandwidth for the right traffic) and decreasing the tax hackers and Distributed DOS and misconfigured systems make them pay (for undesirable traffic). Maybe you should suggest this as a customer retention measure, for those clients where it makes business sense.
Well, on the one hand you have the credit card company model. They eat unauthorized charges all the time, and generally it is a good thing. Phone companies and other utilities do a similar thing, if you can prove the fraud, then they generally cut you some slack (though they might make you work for it). I think that this is a workable "consumer" friendly model. I think that generally, if one had a choice between two isp's and one said we're gonna charge you no matter what, and the other said that we won't charge you for malicous use, assuming you can prove it, then I think that the choice would be obvious (price comparos not withstanding of course).
I think it's simple to say you're responsible for your outbound traffic. If your machines are compromised, you should eat the bill for the traffic they generate. On the other hand, if you receive some wave of unwanted inbound traffic, you should definitely not be liable. Even a dropped UDP packet takes bandwidth.
In fact, I'd prefer a pricing model that is fixed for inbound and metered on the outbound. It puts a financial burden on spammers, copyright violators and the tragic/stupid victims viruses. On the other hand, if you've got something to sell, you should be more than happy to pay for bandwidth used to move that merchandise.
Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.
Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.
This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.
If they're not willing to do what's required of them, they'll get stuck paying for it.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
I've always wondered where the cost for bandwidth comes from. I've assumed it is related to equipment and line maintenance, costs for professionals to maintain the equipment and expand the networks, and new equipment and housing.
Can someone give me an idea of where the price for bandwidth ultimately comes from?
Someday, you're going to die. Get over it.
It also would cause Individuals to generate greater pressure on Distributors to get patches out and visible to the general public. If the general public took more of an interest in internet security, there'd potentially be much fewer DDos Zombies out there.
There's nothing quite as eye-opening as a huge bill sitting on the table staring back at you.
And that's my 2 cents.
Perhaps the best solution would be to impliment a flat rate that under which, you would just pay a set amount per month. If you exceeded this, then you would pay on a burst billing method for the bandwidth beyond that.
The real question becomes where do you set the line? But that could be determined by the average user usage, perhaps a study could be done over the course of a few months to see where people fall on this whole thing.
RonB
It is human nature to take shortcuts in thinking.
If you work on the ISP side you should be able to throttle bursts of bandwidth with the consent of your users. Should they decline to be throttled then you should be able to charge. Why aren't you throttleing bandwidth right now. A thousandfold increase in bandwidth use should raise suspicions unless the iste was mentioned on slashdot ;-)
Hajo Monogamy: Belief so strong that millions of people end perfectly good relationships in order to start a new one.
If you control shared servers and/or if you do not give users a configurable blocking mechanism (firewall, IP addr/range blocker, for web services a bogus URL block or the ability to ban individuals who spam sites) then you are, in fact, responsible for the bogus bandwidth usage.
If you want to keep that customer, you do what it takes to keep the customer. Remember the golden rule, 1 bad customer experience gets passed onto 20 people. If you think that this customer is going to put with this, fine go ahead and charge them. If you don't you should suck it up. If they leave, not only will the money that you get from them goes to zero, but they will bad mouth you to enough other people that it does have a negative impact on you attempting to acquire more customers.
In other words, be a good guy, suck it up and the customer will trust you more the next time you attempt to raise their bill. Blow them off and the only that you might get from them is the finger.
My previous employer was unfortunate enough to be attacked by a series of distributed ICMP ping flood attacks. Our bill jumped from under $1K per month (Canadian) to over $10K in less than a day.
We adjusted our monitoring process to detect these spikes early and contact our ISP to deny traffic from the offending subnets. Luckily, our ISP was willing to do this, even though they still incurred traffic from inbound packets. Luckily, these attacks originated from a few subnets that could be isolated.
As a further kludge, we eventually disabled ICMP altogether on our routers, and lived without ping and traceroute.
Having a host on the net is a risky proposition. You pay for inbound and outbound traffic, regardless of the source, packet type, or quantity. DDoS attacks can not only prevent your server from being accessable, they could literally bankrupt you if you become a target and don't take preventative measures.
Hmm... One click bankruptcy. I wonder if anyone has tried to patent this yet...
Our ISP was technically capable of detecting and thwarting various attacks. Ultimately, the policy of monitoring and contacting an ISP when traffic exceeds a certain threshold seems like a workable solution for average co-locaters.
Given the architecture of the Internet, it's difficult to see how we could shift the burden to pay away from the server to the client. It seems like a problem remarkably similar to the problem of spam.
My car gets 40 rods to the hogshead, and that's the way I likes it!
If you treat your customers like this, you're going to lose them. Simple as that.
I liked the analogy someone else came up with, such as someone running an extension cord from your house to theirs. Who is responsible here?
If I had hosting with your company, and the slammer bug hit servers that your sys admins failed to update, then you better eat that burstable bandwidth bill or a lawsuit couldn't be far behind (depending on the amount, of course). If the servers were my responsibility, including keeping them updated, etc, then I could understand your reasoning.
If a DDoS attack cripples my site, and you expect me to pay for that, you're sorely mistaken.
The simple fact is if they caused it, they paid for it. This includes patches/fixes the customer should've implemented. If you run and maintain that server for them, then no bill increase should be applied.
If someone out in the world caused it, a random malicious event that they just so happened to be on the brunt end of, just throw away that burstable bandwidth bill and make sure your customer knows you did them a favor.
It may not be your place as to pay for that second scenario, but you'll keep your customers longer, keep them happier and keep word of mouth on your company going strong.
It's just good business. Were this my company, I would never even think of treating customers this way.
If you want to keep the customer, the first time it happens, you might want to forgive the excess bandwidth charges (while pointing out the specific clause in the contract that says you have every right to charge them), tell them that it's "for this time only," and make a record of it. This is the type of action that can inspire customer loyalty. If you want to keep customers, you need to find some ways to differentiate yourself from all your competitors. Since you're keeping records, you should be able to tell if a customer is just trying to abuse your policies.
You need to ask yourself- how much did the excess bandwidth really cost, and how much is this customer worth to me in the long run? Probably, keeping that customer will make far more impact on your company in the long term than if you charged them, pissed them off, and inspired them to switch to another ISP.
I work for a small local ISP, before making any decisions we always look at it historically using MRTG. If the customer all of a sudden starts spiking up from their normal amount of traffic, then we will let it slide at first. We will warn them that they may need to check to see if there are any updates for their computers that can help. Also we tell them what to check for regarding P2P programs on computers that they may not know about. If it continues then we are justified in charging them more, because they didn't heed our warnings the first time. Most of the time the customers computer(s) are at fault for the bursts that are coming on their connection. Don't know if this helps in your case, but it seems to work well for us.
The problem with billing for excessive inbound traffic is that the user has absolutely no control over what they receive.
You can have the most sophisticated firewall on the planet, but due the immutable laws of IPv4 you can NOT drop a packet until you see the packet. At which point you've already used the bandwidth (and incurred the cost) required to transport the packet that you're just going to drop.
This has nothing to do with patching your server. If you don't patch your server, and you get hit with a worm, and your box starts consuming huge amounts of bandwidth to attack other hosts, then it's your fault, and its OUTBOUND traffic, and you absolutely should pay for it. But having your server patched does not stop you from receiving inbound packets. They may not harm your server when they get to it, but you already paid for the transit.
BTW, This is why it's illegal for a telemarketer to call you on your cell phone. Because in theory you had to answer the call (and incur expense) BEFORE you knew who was on the other end.
This is a similar issue, except that we're not talking about telemarketers... which are businesses that more or less follow the rules. We're talking about script kiddies that don't care about the rules. Or in a worse case, we're talking about a competitor, or enemy, or rival that just wants to DOS you for a month until you go out of business because of all the excess bandwidth charges you're paying!
The technology limits the liability of the consumer. The ISP must take some responsibility here and put systems in place that protect the consumer.
-JE
I work for company that writes Utility Billing Software.. from the way that we see it... there's fixed and variable pricing.. make a cost benefit analysis and figure out where the break should be for people to have a fixed fee versus variable.. in events such as the slammer virus.. treat it like a water main break and eat the cost.. it's like telling someone it's there fault they drive a car, that it got broken in to.. if the bandwidth is directly attributed to a situation that is out of the users control, then don't charge them for it.. but if they don't patch up once a patch becomes available (this should also mean that you, the ISP, has the patches readily available so there is no excuse by the user for not doing it), then those later fees should be attributed to the customer..
I thought many bandwidth providers had moved to a 95th percentile model to bill for bandwidth. Ignore the top 5% of the usage samples for this month and bill at the customer's 95% usage. This means that any sudden spike doesn't count against your bandwidth. Lots of spikes, or a spike that is not handled within a day moves the 95th percentile way up.
Our upstreams bill us this way, and all of our burstable downstream customers are billed this way. It works well that way.
This risk can be removed by turning any of your equipment off
If they're being charged for incoming bandwidth (especially incoming UDP bandwidth like the slammer worm) then shutting off their server will not help.
As long as the router continues to send those packets to that IP, they'll keep getting those packets. It doesn't matter if the packets just fall off the end of an unplugged cable -- incoming bandwidth is incoming bandwidth is incoming bandwidth.
If I sent a huge SYN attack to your home DSL connection, and your machine crashes, are you responsible for the bandwidth before your machine goes down? Are you responsible for the bandwidth after your machine has crashed, but before the ISP's realized you're not on the other end anymore?
Slashdot is jumping the shark. I'm just driving the boat.
How shortsighted.
For one thing, the packets go down the wire wether the service is running or not. Thousands of requests per second to a box that isn't running the service still has to respond and say "sorry, not running here". Even if it's a few bytes per, it adds up quickly.
Should a customer be charged for requests coming in for a service they don't offer? No, that's the point of the firewall (or packet filter really).
ISPs could have a new revenue stream by looking at this problem differently.
They can offer a firewall for a per-month fee and waive any bandwith increases as a result of DDOS attack or other work-checking that could be blocked by the firewall. An active firewall could proxy HTTP requests, also filtering out common IIS exploits.
User doesn't want the firewall? Fine, you're responsible for all charges.
This would at least give end users an option instead of what will border on collusion when all the AUP/TOSs change to read the same thing.
unfortunately, there would have to be proof of malicious intent, or at LEAST a reasonable knowledge taht linking to the page would cause the business to lose money. /. would have a reasonable knowledge taht linking to the page will cause the page to load slowly, they don't know what sort of connection the page is on, nor is it their responsibility to find out.
While
The day anybody becomes liable for linking to a page on the internet will be the end of the world wide web...that's the whole premise of the thing...
The only thing I can think of is something similar to the robots.txt file...have your webserver have a slashdot.txt file that says something like NoSlashdotLinkage = true in it or something, anything similar to the thing for preventing search engines.
//FIXME: Bad
This is why we don't offer burstable connections.
You pay for capped bandwidth, and your bill never changes.
Andy
If a phreaker biege boxes your home phone and runs up a huge bill who eats that cost?
The answer should equate to who should eat the cost of a DoS trojon.
One of the few slashdot stories without a link ;)
I feel this is an excellent time to discuss SLASHDOT'S moral obligations in linking. Certainly some shops can handle the amount of traffic that is sent their way by getting posted here, but in other cases the server gets hosed, the bandwidth bill goes through the roof, or worse! (remember the guy with the barcode entry system to his house?)
C'mon editors! At least make it so the front page links link to cached text copies sans images or something.
Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.
Good idea but it doesn't quite go far enough.
You should be billed for the traffic you CAUSE or SOLICIT, and thus have control over. Much of internet traffic is things like web browsing, which invovles a small request soliciting a large reply. If you suck down 60 megabytes of web porn, MP3s, or ftp downloads, it's your bill. Similarly if you host a server, which accepts little requests and pours out data, it's your bill.
But if somebody starts sending you unsolicited packets, that's like somebody making nuisance calls or pages. (You will notice that pagers, at least, are generally NOT billed by the page. They tried that, and the customers rebelled because they had no way to block idiots with autodialers.)
So something with a little deeper visibility is in order. Here's a fair approach:
TCP: You get billed if you make, attempt to make, or accept, a connection. You don't get billed for attempted connections you refuse or that don't get completed (i.e. SYN and other DOS attacks).
UDP: You get billed for outgoing UDP packets. If the billing machine is sufficiently stateful, you might also be billed for incoming UDP packets that ARE replies to a recent outgoing UDP request using a well-known UDP request/reply protocol. (This would prevent cheating but still protect you against getting billed for both DOS attacks and forged-reply billing attacks.)
ICMP: All are free except outgoing EHCO REQUEST (ping), because they're a mandated part of the network overhead. (You don't want to bill inbound ECHO REPLIES to prevent billing for forged reply attacks. But you might bill ECHO REQUEST as if it went both inbound and outbound, to cover the expected ECHO REPLY without making the billing machine stateful about ping "connections".)
That should pretty much cover it. Customers would:
- be fairly billed for the bandwidth they used, caused to be used, or allowed to be used,
- not be billed for unsolicited "phone calls", DoS attacks, or mandated network overhed, and
- have a strong financial incentive to keep their system secured against crackers and malware (such as viruses and worms).
And installing a get-around-the-billing hack (like PPP-over-ECHOREPLY) would be a violation of terms-of-service and cause for disconnection - or changing the billing of that customer back to "all bandwidth co$t$" B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Sure, this could ignite a thread about [insert software vender of your choice] and their hole-filled software with respect to how fast service patches come out, but it's not meant to. It's about the reality of technology and the responsibility that goes along with it. You want the privilage of live internet? I think you need to know the basics of networking and security first, because it's a public forum and what you do has an impact on others. Don't want to step up? I've got an AOL CD with your name on it.
The security of my computer (and therefore, my bandwidth) is my responsibility. The physical security of my house is my responsibility. What about my car at the parking lot? Most places say they're not liable. So...I take the responsibility of making sure my doors are locked (and taking the risk of an actual glass-break-in) if I want to shop at [department store]. Being live on the internet isn't much different. You're still traversing among the public, only now the population is MUCH bigger. As soon as I stick my Cat5 in the wall, security IS my responsibility. I don't buy the stance of "it's Microsoft's fault my box is insecure, and there was no patch." We're all adults. You run what you choose on your equipment, and that's your decision. My ISP runs wide open, and they make it known that there isn't any filtering and firewalling going on. They like to deal with the computer savy customer and encourage the use of a non-windows machine for your firewall, and have free classes on how to set it up. If my WinNetOpenBeOSFreeBSDLinuxBox gets hacked and there's a patch or a config file that I neglected to update/change/whatever, isn't it my responsibility? I think so... You take your lumps, learn, and do better next time. The internet, like the circus, is a place where the smart get sifted from the ignorant, and usually the ignorant get parted with their money. Pay your nickel (ie. know your network), ride the ride...otherwise, you're in Soviet Russia....
-- I'd say your post was about 3 monkeys, 18 minutes.
What you may be interested in is where you stand legally. A RAND study made during the middle eighties (obviously not internet related) covering similar thefts returned the following conclusion.
In the case where the theft occured (mutually) from both a commercial and private victim, the commercial victim is generally assigned the majority of the loss because they are considered to have superior knowledge and been in a better position to have prevented the theft from taking place.
Since the theft was allowed by two enteties (the target Computer and the ISP servers that allowed the theft to take place), both entities would probably be apportioned a percentage of the cost.
Since this has never gone to court, there is no case material to set some form of guidelines.
My guess is that apportioning the entire blame to the customer (and billing them) would not hold up if the customer filed against you.
Depending on what measures your ISP has taken to prevent this type of abuse (filters, scanning, etc.) you could probably get away with some form of apportionment where the customer is billed for part of the cost.
Tom
Big attacks should be reported to Homeland Security. (Really. Effective March 1, Homeland Security runs the National Infrastructure Protection Center. ISPs are going to be dealing with them on a regular basis.)
ISP's should eat the costs.... If you provide me with a service that claims to provide me with a certain bandwidth.... then that is what i get.
Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault.
If you decide to enforce a D/L cap, i myself will not be your customer....
If i was the average joe who opted to take on that bandwidth cost then i would blame YOU the ISP for allowing malicous data to be replicated at obvious expense.... as in if a port is responsible for great amounts of malicous (repetitive, near obvious redundant packet exchanges indicitive of an attack, worm, or virus).
The whole thing is, as an isp... the service you provide should be a fully enclosed package... no hidden/additional costs. And bandwidth capping should not incur automatic additonal costs to the consumer after a limit is reached, it should result in a great limiting of bandwidth (after a certain amount is reached) or in a blocked connection (allow only the company's IP until the customer buys more bandwidth).
My personal opinion, we are getting dicked by the tele-comunications industry from the top down... everything from home phones, cable, cell phones, broadband, T1's and more are greviously over-priced at a near basement cost to the mother companies. By the time a consumer recieves their data the fixed price of hardware and the cost of ELECTRICTY has been multiplied ten-fold. Mid-Range ISP's are being squeezed by the big players, and in turn are having to offer misleadingly high "bandwidth" speeds with BullShit Capping.
Downloading megabytes into your cell-phone doesnt cost sprint shit, but youll have to pay 1.00 per DL.
Of course the tel-co's are screaming bloody murder about their losses, but it isn't from data rates.
As a last note.... when we were all using 56kbps modems you could DL for days on end... you could call your local BBS and be charged a phone call while DLing full-speed for hours.... No extra cost... didn't cost them a thing since we payed for the phone-call.... Now that High-Speed is in the home.... and the tel-co's found they could save even more money by offering bandwidth speeds based on diluted averages of many users, they think it's fair to make more money by punishing those who ACTUALY USE THEIR bandwidth. Bandwidth which is only ELECTRICTY. Do you honestly think Time warner can offer 500 channels of digital cable, with "on demand" channels (where you can choose a movie and play it immedietly) for 60$ bucks a month and not provide that same (nearly continuous) data rate to internet connections?
luckily.... with the advent of online movies, music and application servers and such, soon even joe email will be needing a constant high-speed connection.
Just my two cents.... VISION
--Enter The Sig--
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
Suppose you live on a crosspoint of several countries. Your house happens to be located in a dangerous curve on the road. Also for some reason your house looks to some kiddies like it asks to be vandalized.
For these reasons you get a lot of breakin attempts, occasionally a truck crashes through your walls. All this is not only by people from your own country, but from neighbouring countries as well.
You install warning lights and other measures so cars and trucks don't come in crashing. You call the police when kiddies vandalize your home, but they says they can't do anything.
All this costs you a lot of money and headaches.
In real life there are several ways to defend yourself:
Now apply these principles to your hosting server.
Suppose your house is rented. Is the person renting you the house responsible for every breach? Did he warn you before you signed the contract? Is it his responsability to call you every time some vandals are passing on the road? Or some truck may crash into your home?
Of course your ISP can warn you for every threat that may be coming, but what if there's no warning time? Or he misses a small thing that happens to affect your server bigtime? Is the ISP really responsible?
Be careful out there...
ISP A has customer X. ISP B has malicious user Y. Malicious user Y sends huge quantities of packets to user X.
The question seems to be, should ISP A eat the cost, or should customer X eat it? Why the hell are those the only two options?! It seems to me like ISP *B* should eat the cost, since the malicious packets were sent through their network in the first place. ISP B can attempt to recover their loss directly from malicious user Y.
The ISP *and* the customer are both victims in a DOS attack. Whoever runs the network which *initiated* the attack should be responsible.
You could charge for spike "insurance" as an additional fee, that would be smaller than the cost of paying for the cost of an actual bandwidth spike.
This might look like extortion, but you could work out ways it wouldn't. For example, you could offer 3 choices:
1) customers pays for all the bandwith as usual.
2) customer pays regular flat fee plus small addendum as insurance for major traffic spikes (hire a statistician to get this to work out just barely in ISP's favor over time, and be honest about the process)
3) customer pays regular flat monthly fee and gets shut down upon hitting bandwidth threshold. With permission from customer, site can be restored at regular cost for additional bandwidth.
I think if you were really honest about how you came up with the cost of the insurance, customers would like it. For a lot of people, it's easier to pay $100/month for 12 months ($1200), than it is to pay $80/month for 11 months plus $300 for one month ($1180). Just because you can plan ahead, even if it costs more.
Under criminal and most other law, the criminal becomes liable for both direct and indirect damages. As an example, if a gang robs a bank and a gang member gets shot by a clerk, the gang leader is charged with homicide/murder/manslaughter, as appropriate. In this case, the spammer, worm originator, or other attacker should similarly be held liable for direct and indirect damages -- meaning everything from bandwidth to cleanup.
IPv6 allows many security features, including authentication and nonrepudiation. An ISP (or anyone for that matter) can easily use their logs to verify that packets are from a particular source. By rejecting all packets unless traceable, and then keeping the traces around, the responsible party can be easily found by talking to everyone along the chain until someone either has no logs or originated the attack.
Once you've found the person, simply either eat the cost as is done now (if they are a little person infected with a worm/virus but don't have logs), OR try to get money from them and blacklist from future systems (if they are a real criminal).
Something I would LOVE to see is a system that holds everyone responsible. An Internet where to get an address block you sign away certain rights. You would assert that you will either keep logs of all activities or pay for any damages [see above]. When any software is released for use on this new network, the software company would be held liable for damage done by their software [see Outlook worms]. Any software using the network would have to properly record all network transactions thorugh cryptographicly secure undeniable means. Lastly, all commercial communication, unless specific one-to-one talking or client/server requests like the web, would be strictly forbidden, again with damages paid [no spam]. That is my Dream Internet.
frob.
//TODO: Think of witty sig statement
You can then turn around and sue the person who caused the damage.
The ISP cannot decide in many cases if the extra bandwidth usage is legit or not, so has no business cutting your line.
Since 99.99% of all virus/trojan/worm attacks are the result of Microsoft's piss-poor security, I say charge the extra bandwith spikes due to something like this back to Microsoft!
No matter where you go... there you are.
Argument extends ParentPost //assuming ISP A and user X exist in USA
{
ISP B = new ISP(ISP_in_RUSSIA);
User Y = new User(I_don't_give_a_rip-Spammer);
Screw(A, X);
}
robi
No law against this. It like me providing you with a doorbell service. If I want more money, I just keep pushing the button. If you were dumb enough to sign up for this then you'd better trust me.
Clickety Click
One way or another...
Oh yes, he will pay.
Build stuff. Stuff that walks, stuff that rolls, whatever.
Such a setup would allow for full utilitization of the network bandwidth and avoid all the hassle of pissing people off by sending them extra bills or suspending their account.
I don't care if it's 90,000 hectares. That lake was not my doing.
The ISP is charged by its provider for the bandwidth, and if the ISP suddenly has massive bandwidth utilisation during a month, and they have to pay extra, then it's understandable that they should pass the cost down to the customer.
.5Mb/s on *this* pipe .. " that they dish out to clients. It actually would get charged if it goes over "300Mb/s" on their providing line(s). (I could be wrong on this - perhaps most of the middle to big sized ISPs/Colos just have to pay a fixed rental, but I'm sure this is how it how it is for the small ISPs/colo facilities)
However, if you think about it - the ISP wont be having to pay its provider more if it does "Above 1Mb/s on *this* pipe.. above
What if the ISP doesnt hit the utilisation required for it to be charged extra, but individual systems within its network get hit hard by a particular virus? (Slammer for example didn't pick IPs properly at random, so some IPs would be hit, others wouldn't)
In this situation, I think the ISP should let them off the fee. The ISP hasn't been charged any extra for the slammer traffic, so it should let the customer off the charge. It'll do wonders for loyalty if you can see your provider is fair and reasonable about things.
The other situation to consider is when an ISP does get billed by its backbone provider heavily for extreme and unsual utilisation.
Alright, hold that thought. Right at the top levels of backbone providers, there is no direct cost associated with using 80% or 10% of a backbone line. It simply is. It's at this stage I think, that they should possibly relieve their clients of bills that are easily attributed to big viruses that are doing the rounds. Granted, then what do you do about spam? Where do you draw the line as to what is 'unsolicted/extreme/garbage' traffic?
Another solution I've just thought of is to extend the period that an average is worked out over, so that over the year if you're under 1Mb/s, you don't get charged extra. It should even out massive, but short lived spikes from worms such as Slammer.
Yes, I know contracts are normally clear about traffic levels and bills that you will receive if you break them, but I do think it's unfair for a small site that has just gone colo to suddenly get a bill 10x its normal bill since the latest worm has been targetting its machine, primarily since there is no direct cost to the ISP, or the ISPs provider, that can be attributed to this extra traffic (as long as there is spare capacity!).
People should be accountable. If their PC is infected with a worm or virus which results in a large bandwidth bill, the customer is responsible to pay it. Afterall, the ISP has a bandwidth bill to pay too, and they certainly don't get a "service credit" just because your Windoze box has W32@Klez.
In addition, Making the people responsible for their personal worm/virus traffic would make folks would be more proactive about virus prevention and more cautious of which sites they visit. This IMHO is a Good Thing.
Another potential positive would be that people might start wondering "Why does my friend/relative who runs Linux never complain about viruses?" and "Gee with all these viruses that only affect microsoft products, maybe I should look elsewhere for my software needs."
At least in my state, you are responsible for your car's emissions. If your car is polluting above the state limit, regardless of the reason, it is your responsibility to fix it. They don't care what the reason is for your excessive emissions, whether it was rust, hungry chipmunks, incompetant redneck mechanics, or just a poorly built ford suv. And they have a system of mandatory repairs and/or fines in place to enforce this. This is a Good Thing.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
Just wondering this. If the person sending the packet pays a bill for that packet and the person recieving that packet also pays a bill, they are both paying on that same packet. Why not just shift the price so that only sending packets are paid for?
I know its a stupid question, but why not? Other then the fact that somewhere someone is saying "Shit, people finally woke up and realized they are paying twice for the same thing, there goes half our revenue." Why ARE we paying twice? Either pay for outgoing, or pay for incomming. If somewhere someone already paid to send that packet to the net, then the reciver should not have to pay for recieving that packet, or vice-versa.
The only real problem I can see with this is that you have clients and you have servers. With clients sending few packets to recive back several thousands (or millions). A new pricing model should really be setup for the whole system, but that will never happen unless everyone stops making money off the current system.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
What many posts in this thread do not seem to take into account is the greater reality that is the web. With a completely patched server and firewalling that drops packets not desired to hit said server, incoming bandwidth is changed none-whatsoever. You have zero control over traffic until that traffic hits a device under your direct control. With most ISP's, that device can only be placed well past their traffic monitoring point. Ergo, you pay for bandwidth whether you want it or not.
You do have the ability to reduce the total amount of bandwith consumed by dropping unwanted return connections but that may be irrelevant if your site is subjected to a DDoS attack.
The largest problem lies in determining whether traffic is "legitimate" traffic BEFORE it passes through the ISP's network to the client. That said, there are a great many possible ways to accomplish this, such as:
The above are merely ideas or concepts, I will leave implementation to those that require the features. But it gives a good idea of the directions that an ISP can go to mitigate the costs of unwanted bandwidth. Just like Credit Card companies will call a customer to verify that they really do want to purchase that Tiffany diamond in a State they've never visited before, maybe ISP's should be monitoring traffic for irregular patterns and contacting customers to verify that the traffic is legitimate.
ISP's can't merely turn a blind eye when the entire netblock they serve starts sending or receiving traffic generated by the latest worm, virus, etc. They should do their best to mitigate their losses and losses of their customers.
I'm not saying that customers are without blame, just that the people running ISP's may have more technical knowledge that that of their customers and should be proactive in protecting those customers from further harm. If you want a real-world, non-technical example, think Firestone and Ford. A problem created outside of Ford that could have been eliminated before reaching the customer if only greater due dilligence had been used. By ignoring or overlooking the problem (I don't know the exact details) both Ford and its customers were negatively impacted. Was it Ford's fault that the tires were faulty? No. Could they have done something about the tires earlier? Possibly. Could the customer do something about the tires? Yes, but only after they knew of the problem by experiencing the negative consequences.
The scenario doesn't differ much when applied to unwanted bandwidth. If ISP's fail to do their part, unwitting customers will always suffer.
If a site hosted within our systems suddenly spikes because of slashdot or whatever, I will administratively throttle it down a bit to prevent it from consuming all available bandwidth. If it's caused by a vulnerability in our systems (all BSD-based), we will eat it, as we should.
If a co-lo'd customer, or someone paying for bandwdth, starts to spike we will examine the cause. ALL of my customers are required to go through a firewall managed by us. They do not have access to it. If a new virus comes out, it goes in the blacklist rule and those inbound connections are not allowed. We will also block certain outbound (all netbios ports by default, plus virus ports, and those which things like rootkits would use) connections unless explicitly requested by the customer - in that case, they are made to understand that they are using a port which is known to be related to security risks, and it's on them if they get hacked/infected and spike their usage.
We don't shut people off. And if it's a small overage I'll usually let it slide. However part of their contract includes an agreement by them to keep their systems virus free and patched to current security levels. If they triple their usage because they were lazy, they will pay. As a security engineer I simply cannot accept the "we didn't know" excuse - there are multitudes of notification email lists you can get on to find out if your systems are vulnerable. This also forces people to take a more proactive stance on security, and prevent these things from happening in the first place.
This is like having your credit card stolen. If you notice, and notify the company promptly so they can start blocking charges then you are only out $50 (and sometimes they even waive that). However if you don't notice until your bill comes at the end of the month that it's been gone for a whole month, then you're out the whole amount.
Same thing for bandwidth. If the customer notices a problem and notifies the ISP so they can take steps to block / track the attack then they shouldn't have to pay. However, if they are too lazy to monitor their own gear, and/or call the ISP they deserve every dollar they get charged. The customer needs to be a partner with the ISP in fighting these sorts of things, otherwise the ISP never has a chance to catch the real criminals.
Of course, all this is for medium size and up ISP customers. Smaller businesses and/or individuals may just want a "turn it off if it goes above x" until I call model, which is completely reasonable.
Ok. When I pay for 768 kbs up/down, I want to be able to utilize that bandwidth ALL THE TIME. I don't want to be capped at 30GB worth of file transfers a month, when I could, theoretically, push 312.5 GB of file transfers (one way!). I want what I pay for, NOT what the ISP feels like giving me AFTER I've already given them my money for an allotted amount of bandwidth per second. When I first signed up for cable, there WASN'T anything in the contract stating that there was a monthly limit on file transfers. I didn't know until I got a call from my ISP saying that they "could" charge me $2,000 dollars for my bandwidth "ABUSE" *cough use*. I then went back and re-read the contract.. it appears as if it was added in AFTER I signed up.
Listen to my experimental-industrial-techno!
I was quite amused to read this story and the follow-ups.
/something/cmd.exe" or "GET /something/dir.exe". I'm amused, 'cause my Linux box ain't going to get hacked that way.
Two days ago I put my personal web-site up. It's sitting on a linux box (Apache) behind my firewall, which only lets incoming connections initiated on port 80 through.
In two days I have had maybe 100 hack attempts. All using variations on "GET
But, WTF... they're using up MY bandwidth. Why can't ISPs take some responsibility for detecting script kiddies. There can be exactly no un-patched useless WinNT boxen out there. Why shouldn't Mr ScriptKiddy be asked to pay for the bandwidth?
In telephones (in the UK, at least), calling party pays. If someone is hammering my bandwidth malicously (or at least dumbly) why should they pay?
And why can't get an ISP that "traps" stupid requests, and reports them to the users ISP. Too many issues and that ISP is blocked.
Why not?
(I'm thinking about setting up a DDOS system on anybody that tries to 'hack' my server. Just for a laugh, obviously.)
--- My dad's political betting
It's a tough problem. You don't want your ISP playing God. Yet, you don't want to pay for unexpected bandwidth.
That's like saying you only want good bandwidth and none of the bad bandwidth. :)
Let's use a Mall analogy:
You build a shopping mall. There are roads leading into your mall. The city maintains the roads, but the parking lot and accessways into the malls and shops are maintained by you, the site owner.
If you get alot of paying customers coming and they jam up your parking lots and driveways and walkways with cars and people who are willing to pay, you don't say anything because you're getting money.
However, let's say you get alot of non-paying traffic. A large group of people decide to find a place to gather and organize and decide on your mall. They take up your parking spaces and take up the chairs in your food court or block walkways while they chat. No money being earned.
It's still traffic, but it is traffic you don't want. You still have to pay the electric bills and road maintenance. But you don't get compensated.
Who should foot the bill for your losses?
Seriously, the customer should monitor their systems and when they detect anomalies, should be able to work with their ISP to have the traffic in question blocked off. In the event of a DDOS/DOS, then they should seriously consider taking their system off the pipe.
ISPs should see this as a profit potential. I mean, offer your customers content based filtering. Let them setup their own filters and provide assistance service contracts.
In the end, the ISPs will make extra money, customers will feel more supported, and the network bandwidth will be better utilized.
As for the Mall, if there are people taking up space to the point of disturbing your business, it may be time to call in the police.
Customers and Providers really need to work together instead of pointing the finger.
Winged Power Photography
The packet nolonger goes to the customer, so the customer nologner pays the bill ... that doesn't solve the problem that the ISP still recieves the packet and still has to pay their upstream provider. The ISP still uses up bandwidth, all it means is that they can't charge the customer for it.
Where's the incentive for the ISP?
- MbM
A few notes about charging for bandwidth:
These are some of the steps we use to protect ourselves and our customers. Your milage may vary.
(We use packeteer for rate limiting, but I keep eyeballing OpenBSD/AltQ/PF for both rate limiting and firewalling for our customers).
Compare this to someone constantly text-messaging spam to your wireless phone. You could quickly run up an insane bill that way, and there's really nothing you could do about it. The wireless company is contractually in its rights to charge you.
But it won't.
That's how they work. Someone screws with you, typically the provider eats it, especially if there was nothing you could do about it. That puts the incentive back onto the one entity who can actually do something about it: the providers. True for wireless. True for credit cards. True for just about anything where the end user can't do anything to stop the abuse.
The ISPs can do something about it. They have chosen not to because of how we (the geeks) developed the internet. It's too trusting. But at the end of the day, your ISP does know who you are, because they send you a bill. And they could apply uniform terms of service if they chose to, and only talk to other ISPs who have similar terms.
The RBLs are the future. They just don't go far enough. When they're willing to not just cut off SMTP but entire connectivity to other ISPs who aren't willing to play by uniform rules, then we'll start to see some changes. What kinds of rules? Here's some for starters:
- Authenticated mail only. Yep, this looks like banks' "know your customer" rules. You can be anonymous all you like up to the point that you connect to the mailer. But the guy who forwards mail for you is going to be held responsible for your behavior. Yes, that will radically change the free-service providers (yahoo, hotmail, etc). They're free to come up with solutions that don't require them to know exactly who you are, but if they host spammers, we're not going to talk to them. This is just the logical extension of RBLs.
- Same deal for acting as a DDoS zombie. The owner of the unpatched box is responsible, but it's the responsibility of the ISP to be able to identify that person for legal action. If they can't or won't, then we don't talk to them.
None of this says that you can't be anonymous most of the time. It just says that if you're disrupting service and causing real losses due to your actions or lack of actions, your ISP is going to have to hand you over, or they're going to be held responsible. The right to privacy has to be balance with responsibility for your actions.The old-world networks (phones) have worked this way for years. I can block my out-bound caller-id. I can have an unlisted phone number. I can be very anonymous on the phone. But if I'm named in a law suit or criminal complaint, the phone company will hand me over in a heart beat. The only way around this is pay phones with cash. It's hard to run a large-scale scam that way.
And no, this doesn't mean that an ISP's logs are free game to the RIAA. But it does mean that if the RIAA wants to name a specific "unknown party" in a lawsuit, the ISP is obligated to identify them. Before you get excited, that's exactly the current situation. The RIAA just wants to get the info without actually suing you (which is wrong, and luckily some ISPs have resisted). ISPs need to be willing to say they will only interconnect with other ISPs who play by the same rules.
Yes, this will fragment the internet for a short period of time. So do the RBLs. But economics will fix it fast enough, especially if entire connectivity is cut off.
Are you sure you understand how all this works?
"Half the problem here is that we bill for bandwidth in the wrong way. By billing on traffic, we open ourselves to exactly this sort of problem - it would be like billing for water consumption based on pressure (rather than volume)."
This doesn't make sense to me. Pressure is like access... nothing flows until you make it flow. It is just the potential for flow. Volume of water flowing (think of it as molecules=packets) is analogous to packets flowing and is a much fairer way of charging for bandwidth since the person pays for what they used (exactly like they pay for the water they use).
"The reason ISPs bill per megabyte is so they can bill multiple customers for the same piece of infrastructure... and at the same time, over-subscribe that piece of infrastructure."
I think you have this backwards. When you charge for a connection ("access") then you can bill multiple customers because you can safely assume that not all of them will be utilizing their access fully. We had an upstream provider that had 19 PVCs on one T1 connection upstream... and was charging every one of its downstream customers for a T1! This is what is meant by "oversubscription". How, exactly, would you double bill for a measured amount of packets?
According to your theory the grocery store should only charge the first customer because then his "infrastructure" costs would be met.
"Strangely enough, paying a fixed fee based on the size of your connection is where the whole thing started. Paying per byte is a relatively recent (several years, but still recent) concept, thought up by greedy providers who realised they can charge many customers for something that is essentially free."
Bandwidth measurement was (and still is) more expensive to count and to bill than simple access. A simple connection is simple; you just provision the PVC and start billing. That's why everyone started out that way. Once the technology was in place (cheaply enough) to allow ISPs to measure bandwidth, then - and only then - could they charge for it.
I don't know how you can think that it's "free". Is your transportation free even though you've paid off your car? ISPs have to charge enough to pay their engineers, their billing people, their sales people, plus have enough to cover capital expenses for new equipment (which the customers will demand because their needs increase). Plus the ISP has to pay its own uplink charges for bandwidth (usually metered). And then, of course, there's the interest payments on the loans taken out to buy the original equipment. No, you're dead wrong. Bandwidth is not "essentially free".
"Take a look at the profit levels of some of the bigger providers in your country. Here in Australia, Telstra, Optus and Connect all report multi-million (and in many cases billion) dollar profits. Nobody can tell me that the core connectivity of the Internet isn't currently a profitable business."
I don't suppose the plethora of bankrupt US providers would convince you otherwise, either. The profit margin for an ISP is razor thin and getting thinner as providers drop prices in an attempt to gain customer base (and profitability). Even AOL is struggling. No ISP in the US is making billion dollar net profits.
I think your understanding of economics is as weak as your understanding of pressure and volume.
No one ever had to evacuate a city because the solar panels broke!
Your analogy makes very little sense in the real world.
You have your T1. So do 3000 other people. The ISP has calculated that on average, only 15% of your T1, alone with everyone else's, is used in any given month.
That T1 has to connect to something, don't it? It's not a point to point connection to every single site you go to. Your T1 will drop into a DS3, ATM, POS connection. The ISP has calculated what they need to run in the back end, and what they need at the various peering points with other providers.
Let's say the ISP only has 3000 T1 customers. That's a total available bandwidth of 4632 Mb/s for all T1s combined. But since on average only 30% of that is used, that falls to 694. They play it safe and decide that on the backbone they triple that amount (which is not the case. Usually it's less than double). That's still only 2084 Mb/s (or 13 DS3s). Your price for a T1 has been calculated using these numbers. Suddenly everyone uses their T1 at full capacity 24/7. The ISP has to put in more pipes to accomadate this. This means their bill to the backbone have skyrocketed. Since your original price was based on 15% utilisation, and now it's 100% utilisation all the time, what do you think will happen? Your bill will go up significantly. The ISP is in business to make money. If it has to put in another 16 DS3s that will run at 100%, they've more than doubled their operating costs. Why should they take a loss? They are totally justified in raising their prices.
This is how the real world operates.
It's better to burn out than to fade away
So far, I think many posters have forgotten one simple fact.
.. Now for the juicy bits. This happens. Every day. The large network NOCs are in constant communication with each other about large DDoS attacks. The little ones slip through the cracks until people complain but generally the large network NOCs will have many other issues to deal with so in a way I don't really blame them.
ISPs don't have infinite bandwidth.
I know, its quite a strange idea. But think of this.
If you're a ISP in a single location, chances are you're buying a few (hundred?) megabits off your upstreams. Unless your upstreams are happy to filter traffic they send to you (and unless its a very large DDoS, most of them will take a while to implement any access control), the ISP will still be charged for traffic sent to a customer even if the customer chooses to reject it.
Similarly, if the ISP provides filtering support for their customers, they still receieve the traffic and bite the usage.
Now, if you're a large ISP and have links to other peering exchanges. Even, say, you peer enough to not really need transit. These inter-state links still cost money. And they're fixed. So if a customer is hit with a DDoS they'll still be carrying it _somewhere_.
Even if this mythical tier-${LOWNUM} ISP with lots of fat peering links has some magical scripts to filter out DDoS traffic to a given customer range, it still will hit their border routers. So their peering cross connects have already been filled. The only way around this is to deal with their peers..
But they don't really have the incentive to spend all their time dealing with smaller networks being attacked. They'd be worried with keeping their network from melting under a few larger ones.
The flipside. If you're an ISP with enough bandwidth (and not high-profile sites like irc servers or pr0n) you might be willing to bite the costs of various attacks as part of a marketing point. Customers may come to you because you have a reputation of being lenient under attacks. Perhaps. But thats a delicate line.
Me, I dig flatrate pipes. Usage based pipes is just asking to be owned by excess traffic. If I buy a megabit then all I really have to worry about is service degradation due to DoS. ISPs, in my experience, will help you with that. But if you're on a usage based pipe which then gets owned by a DDoS you're struggling after the fact to get a rebate. Good luck.
(Although, that said, perhaps you guys should consider asking for usage based pipes that _have_ a bandwidth cap. Figure out what your maximum spend amount is, say 5mbit, and then ask for a usage-based pipe based on that. That way you limit your liability _AND_ getting the cheaper transit. Most of the time.)
You should allow your customers to set an incoming quota. Anything higher (per minute? per hour?) Is bounced. (Not held.)
If the users don't set a quota, then they are liable. If they do, then you are the insurance carrier. (I guess that it has to be an extra cost service.)
It is important to customers that they be able to predict the size of their connection bill. If they can't, this can cause a lot of trouble. But you could offer an insurance policy that basically says "You won't have to pay more than X amt. I'll bounce the excess if a spike happens." You might want to think carefully, though, about what your cost exposure would be, before you decide on the cost of the policy. (Even having an expensive policy, though, should be a reasonable answer to the current customer complaints.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Ideally you'd be able to roll over bandwidth for exactly one month as in subtracting the previous month's rollover at the end of the month. Your bandwith would be continously throttled to the rate at which you'd expend all of your bandwdth at the end of the month. Without rollover, the ISPs would have a huge sawtooth pattern in monthly load and one of the sides of the teeth being nearly vertical. The rollover is more for the benefit ofthe ISPs than anything, so is upstream port blocking, allowing ISPs to blockunwanted traffic at its boarders.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I worked for awhile in telecom. For the most part, the expenses of the telephone company are fixed. You have switches and T1 connections going in and out. Those are fixed costs.
A telephone company would build a system for anticipated peak service and would add some room for expansion. As a result, the telephone company would build an expensive system with excess capacity.
Although costs were fixed, telecom companies would bill customers for time used. To do this, they would set a rate for normal usage that would be high enough to cover the costs of the peak usage network.
I imagine that the Internet is somewhat the same way. Internet companies build for peak usage and set a rate for normal usage that will cover the cost of the peak usage network.
The thing that happens in a DOS attack is that the DOS attack pushes the services used from the normal level to peak usage levels for a prolonged period.
Since most of the network's costs are fixed, the DOS attack really doesn't cost the network that much more. A DOS attack doesn't spontaneously generate more routers and fiber optic connections.
The end effect of the attack is that it screws up billing. Remember the normal usage rates are set high enough to cover the cost of peak capacity. The DOS attack creates a situation where the end user is suddenly being charged the rate calculated for normal usage at the volume of peak usage.
Now, I realize the Internet has an extremely layers of service provides. Many ISPs are just a middlemen paying metered rates. The ISP is caught in the same trap of screwed up billing. The cost of the ISP providers didn't go up during the attack.
The big bills for both the ISP and end user are the result of flaws in the billing and metering processes and not actual higher network costs. The challenge is to keep the charges from the DOS attack from screwing up the billing systems.
BTW, I do not mean to imply in this thread that DOS attacks are cost free. Just that the bandwidth consumed during the attack is really not costing the network that much more. The machines, cables and wires have more stuff going through them. The DOS attacks cost the the support people in the ISP time, and have a cost in lost opportunity, they also create billing nightmares. The DOS attack does not actually cost the real dollar amounts that suddenly appear on bills.
So the real question is "who should pay for each unexpected bandwidth consumption event - the person who owned the site that got hit, or all customers, indirectly?" If the answer is "the person who owns the site", then if an individual becomes the victim of malicious or unpreventable attack, they lose out financially. This could be seen to be unfair. If the answer is "all customers", then all customers lose out financially from the actions of a few customers who fail to manage their sites properly. So if I completely fail to patch my SQL server, get hit by Slammer, and claim that that's an malicious attack and not my financial responsibility, then every other customer pays for my laziness. That could be seen to be unfair. The (apparently) fairest answer is a combination of the two - if I'm the victim of an attack, I shouldn't have to pay for the increased bandwidth and the whole community bears the cost; but if I fail to take appropriate action to prevent an attack/surge/whatever, it's my problem and I should bear the cost. However, that answer means that the ISP has to define the criteria for what consitutes appropriate action, then police that. Which costs them a lot of money. Which the whole community pays for :-)
Disclaimers:
1) I don't work for an ISP
2) I don't even have a website
therefore
3) I probably don't know what I'm talking about :-)
I have no problem with the ISP having to bite the cost of bandwidth especially when it comes to things like Slammer, etc.
I COMPLETELY disagree with the concept of public space and the user takes their risks. It doesn't cost me $70.00 (CDN) to walk in the park and I assume the risks of that action. I PAY $70 (CDN) for a certain level of bandwidth and service quality with very little risks.
Why should I pay for bandwidth that my network did not request. FOR EXAMPLE: on average I am billed for 300MB of traffic that my network or users never request. This calculation was done by reviewing OVERNIGHT usage logs (1AM - 7AM) which indicated approx. 9MB daily of unrequested traffic. This is traffic that is hitting my modem but not passing through my router so I can be sure its not being requested by my network.
While this unrequested traffic my seem small by many standards it is still unrequested traffic that is impacting my monthly bandwidth usage limit of 7GB or 12GB. I know some may think, hell its only 300MB but my point is I'm being limited by the total amount of traffic I can send and receive and if I do not request this traffic why should I pay for it.
That's like suggesting someone pay to watch the advertising on my TV because its in the same pipe as my television signal. Bullshit!
ISPs big and small need to grow up and start providing real service to their customers and STOP throwing their hands up, saying we only provide access! BULLSHIT! You provide access to a commodity and there is the VERY BIG difference. Ask AT&T!
And thats where M@'s at!
you're wrong on several accounts. bandwidth DOES cost money. several costs include, hardware to get you the bandwidth, cabling to your house, upstream provider costs, etc. If you think that part of the internet is free, you are severely mistaken.
The internet is not a public space all the time (irc and message boards would be public spaces), but if you allow yourself to be on the internet, you are allowing others to access your space. If you put a computer directly on the internet, it is not your ISPs job to secure that for you. It is YOUR job to maintain the integrity of your own machine. if someone hacks your machine because you failed to close a port, that is your fault. trying to blame the ISP is not going to get you anywhere.
My AT&T (now comcast) cable modem specifically has a clause in the terms of service that say something like, "your connection is your responsibility. if you allow others to use it and they do something illegal, since it is your connection, that means you did something illegal."
Why read the article when I can just make up a snap judgement?
I have been misunderstood here. What I meant was, that traffic hardly produces costs, building up and maintaining the network infrastructure does that. So, there is no sensible reason for billing by traffic instead of having a fixed rate where the price depends on bandwith only.
If you're *co*locating servers with an ISP, you're entering a partnershiplike a lease. You're leasing space/power/bandwidth from them and promising to take care of things -- they promise to keep everything maintained. Both sides take risks and the risks are spelled out in the contract.
Every contract I've ever dealt with for a colo involves peak usage billing -- 95% percentile of average traffic is typical. Of course this is usually for a half rack, full rack, or cage -- not a single box. But that's been the deal at huge data centers (e.g. Exodus, RIP) and local ISPs(BNSI, my local colo provider).
They provide space, power, and bandwidth. I pay a flat rate for the space and power and a specified rate for the bandwidth -- my BNSI colo takes the higher of inbound or outbound 95% for the monthly charge.
I act as a good tenant -- I keep my boxes (even the windows ones) patched. I have a solid firewall. I put rate limiters on sites that need them. I monitor traffic. Everything a decent sysadmin does.
They act as a good landlord -- they keep things running, they notify me of problems, and they monitor their network well enough that I get a call when they notice (netsaint) my bandwidth spike, like when I upload 9 GB of data files for a client one evening.
We both act like responsible adults and everything is fine. Slammer's an excellent example -- one client at their site had an unpatched sql server -- sort of like letting the grass get 2 feet high in front of your rental house. The ISP cut them off, just like the landlord can step in and cut your grass if you're not maintaining it. Clients of mine at another site lost 6 hours of uptime because the ISP responded poorly to someone's unpatched box. Two days later, that ISP was hit by slammer on ANOTHER box. Not a good landlord -- they're not taking care of the properties they own.
A lot of the billing ideas in this discussion are intellectually sound but hard to implement in practivce -- I mean tracking each packet and throwing it in a particular category for billing? If the ISP is doing that, the costs are going to be $$$$ and those will be passed on. I don't want to pay that because I don't need it -- and the ISP shouldn't raise it's prices to solve a problem that's not really their problem.
So an incoming spike comes in -- I want a phone call/page where they ask me if that's OK. I'll even pay for the service. Whether it's a good (more business) or bad (hacker traffic) spike I need to react to it. I've got systems in place and they have systems in place. We're both good citizens. We both benefit. Max benefit for minimum work. I don't need to be charged properly for each packet -- I just need to be charged properly for my usage trends.
So write it into your contract -- don't use SQL Server, ask the ISP to block it outside your switch. Or keep the records yourself and contract with them to refund the bandwidth if you get excessive traffic you didn't and can't use. It's like saying "How about if I cut the grass and paint this rental house and you reimburse me the expenses if I do a professional job". Win/win for everyone. Clear terms. If I do a crappy painting job, I shouldn't get reimbursed, just like if I do a crappy record keeping job about packet traffic on the server I shouldn't get a refund.
Hacker attacks, etc, is part of the cost of doing biz on the Internet. You open a shop in real life, you deal with shoplifting -- you build it into your costs, either through higher security or anticipated "breakage" or whatever. I charge my clients more for SQL Server than MySQL not only because the license is much more expensive, but because the risks are higher from a security perspective. They'll be some breakage -- plenty of extra TCP 1433 on my firewall -- but it's built into the cost. As is the time I spend upgrading Windows 2000 and SQL Server. When you lease a house, you might call this normal wear and tear.
So it's a lease. Find a good landlord. Be a good tenant. Anticipate wear and tear. Build that into your budget.