Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?

rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"

analogous to water/electric company IMHO

[rdewald]

What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?

Re:analogous to water/electric company IMHO

[prator]

Not a very good analogy. More like you have an electrical socket outside your house, and you have a sign that says, "Use me". Then you get upset when the circus comes to town and powers everything off your socket.

-prator

Re:analogous to water/electric company IMHO

[captain_craptacular]

Bad Analogy. The poster says customers dispute INCOMING bandwidth spikes. So the analogy would be more along the lines of someone sending a huge power surge through your lines un-announced and un-requested, then the power company attempting to charge you for it.

I lean towards the consumer not having to pay, considering they didn't request the traffic and are therefore not resonsible for it.

Re:analogous to water/electric company IMHO

[Fishstick]

Yep, I was thinking along the same lines. It's like having a drinking fountain outside your house for public use - you are expecting amybe 10-20 gallons monthly as people stop by and have a quick sip. Then, you get all pissed when your water bill comes and 5,000 gallons show up when the circus comes to town and all the clowns have used your water fountain to fill all their water baloons. :-)

Do you then go ask for a credit from the utility because of the excessive/unexpected use?

Re:analogous to water/electric company IMHO

[jgerman]

No but what I do expect is to be able to set a turn off point for my site when bandwidth goes too high. Here's a for instance. I wasnted to put up a smallish site at WazooWeb (yes I actually clicked on a /. banner) for 6.95 a month it didn't seem like a bad deal, and 10GB of bandwidth seems more than enough. But what if I get /.'ed, or something equally remote happens that blows me over the limit. I want a way to say, once I'm at my limit shut me down for the month, unless I explicitly come in and say go ahead... I'll take the extra charges. It's not like I even want it on be default, I'm perfectly ok with setting the threshold myself.

Of course my small scale situation may not translate to a large business account.

Re:analogous to water/electric company IMHO

[luzrek]

build in clauses that say the end-user is required to notify the ISP of problematic access within a certain timeframe

This would be like dealing with stolen credit cards. When a credit card is stolen the owner gets 24 hours to report it and is only liable for $50. If they wait up to 72 hours, they are only liable for $500. I'm not sure what happens after that. This system protects both the credit card company and the credit card user by insuring prompt reporting of stolen credit cards and fraudulent activity (and can hopefully catch the crook). This system has worked fairly well.

The implications for ISPs and their customers for a similar system would be pretty interesting. The customers who actively monitor their network traffic and help to head off problems would be rewarded by being less liable for damage, while ISPs would be free to give the full bill to those who ignore their bandwidth usage. This system should lead to lower costs for the better customers and discurage neglegance possibly leading to better service for all.

Re:analogous to water/electric company IMHO

[jazman_777]

Then you get upset when the circus comes to town and powers everything off your socket.

Holy cow, that circus next door, it's not free?!

Re:analogous to water/electric company IMHO

[gmack]

There are several Apache mods that will either limit total useage or shut off files on the end of large spikes.

The original question though is what should the ISP have done. IMO they should have firewalled access to the affected ports and then split the cost.

Re:analogous to water/electric company IMHO

[DanEsparza]

I completely disagree. Bandwidth is analagous to people using roads (network connections). If roads are heavily used, they must be maintained, or they fall into disrepair. If network connections are heavily used, ISP's need capital to get bigger (or more) connections so that certain service levels can be maintained.

We don't live in an (entirely) communist world. We don't get to pass out resources indiscriminately. We have a fixed amount of resources, and as with any case of supply and demand, the person holding the supply can (and should) charge for using the resource. In the case of network bandwidth, the resource is not obvious, but it is still tangible: It is network equipment and opportunity costs.

Re:analogous to water/electric company IMHO

[vano2001]

There is mod_throttle for Apache which can be set up along with some scripting to activate/deactivate a virtual host. I have done this myself for a webhosting company. The problem is that the web hosting companies decide it is better not to have this option and force clients to charge the extra bandwidth. It is a business policy and not a technical impediment.

Re:analogous to water/electric company IMHO

[-Surak-]

Presumably this refers to hosted server connections, rather than a simple virtual web server account. For this sort of connection, I would want a true Internet connection, instead of some firewalled lan port. I would be very upset if the ISP did ANY filtering on my connection without my specific request or knowledge. It's none of the ISP's business what I do with my end of the network cable (aside from spam policies) - they don't need to know if I'm running a web server, SQL server, or some custom game server that happens to use UDP/1443.

Most colo providers I'm familiar with bill on 95th percentile bandwidth, which means that they drop the top 5% of samples (typically 5-minute average) and bill you for the bandwidth of the highest remaining sample. This means that you can absorb short-term heavy bandwidth spikes without being charged, up to about a day and a half worth of time per month.

In any case, the ISP should have no way of knowing WHAT traffic creates the bandwidth spike, unless I specifically request that they monitor my port. Of course, smart ISPs will exploit these incidents by offering firewalling services as a value-add, even if it's just stateless filtering at the router, as a way for customers to "insure against unexpected traffic spikes from virus/worm activity".

Of course, if I was paying for virtual web service, rather than a server colo and bandwidth fee, I should not be charged for non-web traffic, and I doubt any ISP would have the balls to do so.

Re:analogous to water/electric company IMHO

[dhogaza]

The City of Portland Water Bureau will forgive excess water bills due to undetected leaks or the like if you show that you've fixed the problem. Often leaks aren't detectable and a large water bill is the first clue the homeowner sees (western Oregon is very wet, water water everywhere)

Re:analogous to water/electric company IMHO

[DunbarTheInept]

Firewalling doesn't solve the problem. By the time the packet reaches the ISP's customer, it's already been counted. Whether the customer replies to the request or denies it with negative feedback, or just ignores it - doesn't matter - it's already been passed through the ISP on the way to reach the customer, so they've already counted it.

If you hold the customer responsible, then people angry with that person can just drive up that person's cost by choosing to flood him.

Charge on sent traffic.

[FirstManOnMoon]

Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.

Alas, unless every ISP participated, this model wouldn't work well.

Users just won't pay

[drfuchs]

If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.

Re:Users just won't pay

[Gaijin42]

Thats because they pass that cost on to the vendor, for not validating enough information about who the purchaser was.

The CC company doesn't eat that. The vendor does for accepting the stolen card

Simple policy

[cybermace5]

Keep up to date on current worms and other bandwidth threats. Notify your customers about these threats, and provide information on how to eliminate or reduce the impact.

Any massive bandwidth they log after that, is their responsibility. You notified them, and they did not listen.

After a few incidents like that, they will start to listen to your warning messages.

Re:Simple policy

[Croaker]

Err... the problem is customers are billed by the ISP for incoming bandwidth. How is a customer supposed to stop incoming packets from some pinhead's server that got itself infected with some virus? Is the ISP allowing them to setup a firewall outside the ISP to block this stuff? If not, then saying 'hey, there are some nasty viruses going around' is pretty much beside the point. There's nothing the customer can do to block those incoming packets before they are charged for them by the ISP.

This is a thorny issue. The real answer is that the twit whose server got owned and is spewing garbage out on the net should be responsible for paying. But enforcing that is going to be a problem.

Re:Simple policy

[sweetooth]

Protecting yourself from an attack, such as code red, doesn't mean it doesn't still eat bandwidth. It's the same with anything. I noticed today that my mail server was a little slugish. I sshd into it checked the logs and saw the same bastard attempting to send spam to the server and tons of rbl lookups were taking place. So I added the various ip's to the firewalls blacklist. So now the mail isn't processed, but whatever program they are using doesn't even bother to check to see if the mail is being accepted, it just keeps spamming. So, I'm still having a fairly large percentage of my bandwidth being eaten because of a very inconsiderate individual. Stopping code red was the same. At one point I was logging thousands of attempts every day. They were not successful, but they still ate the bandwidth.

I don't know what the solution to the problem is exactly. As it stands now I pay for any bandwidth used regardless of how or why it was used. It would be much better if those charges could be passed along to the person responsible for abusing your bandwidth, but how that could be enforced is beyond me.

One thing I have to note here is that the person posing the question is talking about INBOUND spikes not outbound. So your points are even less relevant.

Re:Simple policy

[ADRA]

Here is a 'simple' policy as an ISP.

If you are hosting business internet lines give the customers 2 options.

1. Wide open internet. Nothing is filtered on the ISP end, as it stands today, and the customer is 100% liable for ANY traffic circulating between the internet and the customer, solicited or not.

2. Abuse Managed Internet. Charge a fee to the customer per month, which get the customer:
- Any abuse, aka DOS attempts removed from the monthly bandwidth
- The ISP will filter abuse attempts before they occur, so if there is a code red floating around, allow a transparent proxy / firewall throw the packets away before it causes your customers harm.
The trade off for the customer is more assured price, and quality of service for the price of flexability and a nominal charge.

It's in the contract

[eagle486]

The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.

In other words

[djKing]

Should /. pay the bill for the /. effect?

-Peace

Re:In other words

[unicron]

I've always wondered about that. If you had your business on the net, and /. linked to it, causing it to go down, would /. be liabel? Assume the following before replying:

*/. did NOT warn the page
*The page in question NEVER receives the amount of traffic necessary to bring it down.
*Let's assume it happened on a Saturday, when they had minimal support
*The company can PROVE they lost revenue. /. can't really play dumb, they HAVE TO know the /. effect is going to be too much for a page. It can almost be called a DoS attack at this point.

Balanced response.

[gehrehmee]

Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.

Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.

This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.

If they're not willing to do what's required of them, they'll get stuck paying for it.

Monitoring and Opting Out

[pbryan]

My previous employer was unfortunate enough to be attacked by a series of distributed ICMP ping flood attacks. Our bill jumped from under $1K per month (Canadian) to over $10K in less than a day.

We adjusted our monitoring process to detect these spikes early and contact our ISP to deny traffic from the offending subnets. Luckily, our ISP was willing to do this, even though they still incurred traffic from inbound packets. Luckily, these attacks originated from a few subnets that could be isolated.

As a further kludge, we eventually disabled ICMP altogether on our routers, and lived without ping and traceroute.

Having a host on the net is a risky proposition. You pay for inbound and outbound traffic, regardless of the source, packet type, or quantity. DDoS attacks can not only prevent your server from being accessable, they could literally bankrupt you if you become a target and don't take preventative measures.

Hmm... One click bankruptcy. I wonder if anyone has tried to patent this yet...

Our ISP was technically capable of detecting and thwarting various attacks. Ultimately, the policy of monitoring and contacting an ISP when traffic exceeds a certain threshold seems like a workable solution for average co-locaters.

Given the architecture of the Internet, it's difficult to see how we could shift the burden to pay away from the server to the client. It seems like a problem remarkably similar to the problem of spam.

Bad business

[Obiwan+Kenobi]

If you treat your customers like this, you're going to lose them. Simple as that.

I liked the analogy someone else came up with, such as someone running an extension cord from your house to theirs. Who is responsible here?

If I had hosting with your company, and the slammer bug hit servers that your sys admins failed to update, then you better eat that burstable bandwidth bill or a lawsuit couldn't be far behind (depending on the amount, of course). If the servers were my responsibility, including keeping them updated, etc, then I could understand your reasoning.

If a DDoS attack cripples my site, and you expect me to pay for that, you're sorely mistaken.

The simple fact is if they caused it, they paid for it. This includes patches/fixes the customer should've implemented. If you run and maintain that server for them, then no bill increase should be applied.

If someone out in the world caused it, a random malicious event that they just so happened to be on the brunt end of, just throw away that burstable bandwidth bill and make sure your customer knows you did them a favor.

It may not be your place as to pay for that second scenario, but you'll keep your customers longer, keep them happier and keep word of mouth on your company going strong.

It's just good business. Were this my company, I would never even think of treating customers this way.

Look at it historically

[paleck]

I work for a small local ISP, before making any decisions we always look at it historically using MRTG. If the customer all of a sudden starts spiking up from their normal amount of traffic, then we will let it slide at first. We will warn them that they may need to check to see if there are any updates for their computers that can help. Also we tell them what to check for regarding P2P programs on computers that they may not know about. If it continues then we are justified in charging them more, because they didn't heed our warnings the first time. Most of the time the customers computer(s) are at fault for the bursts that are coming on their connection. Don't know if this helps in your case, but it seems to work well for us.

Re:I say charge the customer

[Enry]

How shortsighted.

For one thing, the packets go down the wire wether the service is running or not. Thousands of requests per second to a box that isn't running the service still has to respond and say "sorry, not running here". Even if it's a few bytes per, it adds up quickly.

Should a customer be charged for requests coming in for a service they don't offer? No, that's the point of the firewall (or packet filter really).

ISPs could have a new revenue stream by looking at this problem differently.

They can offer a firewall for a per-month fee and waive any bandwith increases as a result of DDOS attack or other work-checking that could be blocked by the firewall. An active firewall could proxy HTTP requests, also filtering out common IIS exploits.

User doesn't want the firewall? Fine, you're responsible for all charges.

This would at least give end users an option instead of what will border on collusion when all the AUP/TOSs change to read the same thing.

proof of malicious intent

[ShortSpecialBus]

unfortunately, there would have to be proof of malicious intent, or at LEAST a reasonable knowledge taht linking to the page would cause the business to lose money.
While /. would have a reasonable knowledge taht linking to the page will cause the page to load slowly, they don't know what sort of connection the page is on, nor is it their responsibility to find out.

The day anybody becomes liable for linking to a page on the internet will be the end of the world wide web...that's the whole premise of the thing...

The only thing I can think of is something similar to the robots.txt file...have your webserver have a slashdot.txt file that says something like NoSlashdotLinkage = true in it or something, anything similar to the thing for preventing search engines.

Fairer - sent or solicited - a modest proposal:

[Ungrounded+Lightning]

Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.

Good idea but it doesn't quite go far enough.

You should be billed for the traffic you CAUSE or SOLICIT, and thus have control over. Much of internet traffic is things like web browsing, which invovles a small request soliciting a large reply. If you suck down 60 megabytes of web porn, MP3s, or ftp downloads, it's your bill. Similarly if you host a server, which accepts little requests and pours out data, it's your bill.

But if somebody starts sending you unsolicited packets, that's like somebody making nuisance calls or pages. (You will notice that pagers, at least, are generally NOT billed by the page. They tried that, and the customers rebelled because they had no way to block idiots with autodialers.)

So something with a little deeper visibility is in order. Here's a fair approach:

TCP: You get billed if you make, attempt to make, or accept, a connection. You don't get billed for attempted connections you refuse or that don't get completed (i.e. SYN and other DOS attacks).

UDP: You get billed for outgoing UDP packets. If the billing machine is sufficiently stateful, you might also be billed for incoming UDP packets that ARE replies to a recent outgoing UDP request using a well-known UDP request/reply protocol. (This would prevent cheating but still protect you against getting billed for both DOS attacks and forged-reply billing attacks.)

ICMP: All are free except outgoing EHCO REQUEST (ping), because they're a mandated part of the network overhead. (You don't want to bill inbound ECHO REPLIES to prevent billing for forged reply attacks. But you might bill ECHO REQUEST as if it went both inbound and outbound, to cover the expected ECHO REPLY without making the billing machine stateful about ping "connections".)

That should pretty much cover it. Customers would:
- be fairly billed for the bandwidth they used, caused to be used, or allowed to be used,
- not be billed for unsolicited "phone calls", DoS attacks, or mandated network overhed, and
- have a strong financial incentive to keep their system secured against crackers and malware (such as viruses and worms).

And installing a get-around-the-billing hack (like PPP-over-ECHOREPLY) would be a violation of terms-of-service and cause for disconnection - or changing the billing of that customer back to "all bandwidth co$t$" B-)

Just like in real life

[raarts]

Suppose you live on a crosspoint of several countries. Your house happens to be located in a dangerous curve on the road. Also for some reason your house looks to some kiddies like it asks to be vandalized.

For these reasons you get a lot of breakin attempts, occasionally a truck crashes through your walls. All this is not only by people from your own country, but from neighbouring countries as well.

You install warning lights and other measures so cars and trucks don't come in crashing. You call the police when kiddies vandalize your home, but they says they can't do anything.

All this costs you a lot of money and headaches.

In real life there are several ways to defend yourself:

• taking your own safety measures as can reasonably be expected from a houseowner
• get insured for the unexpected
• trust the police the catch criminals
• trust international law enforcement for border-crossing crimes

Now apply these principles to your hosting server.

• Of course you should take every precaution within reason to prevent your server from being hacked (keep it up to date folks)
• Get an insurance for unexpected costs. I'll bet insurance companies could do well here
• Trust the cops for catching the script kiddies and real criminals. Alas, the police is hopeless understaffed and low on resources for these new crimes. Also legislation is lagging behind
• International laws? Don't count on it. Same as above, but worse.

Suppose your house is rented. Is the person renting you the house responsible for every breach? Did he warn you before you signed the contract? Is it his responsability to call you every time some vandals are passing on the road? Or some truck may crash into your home?

Of course your ISP can warn you for every threat that may be coming, but what if there's no warning time? Or he misses a small thing that happens to affect your server bigtime? Is the ISP really responsible?

Be careful out there...

Hrm

[pclminion]

Well, here's the scenario people seem to be putting forth:

ISP A has customer X. ISP B has malicious user Y. Malicious user Y sends huge quantities of packets to user X.

The question seems to be, should ISP A eat the cost, or should customer X eat it? Why the hell are those the only two options?! It seems to me like ISP *B* should eat the cost, since the malicious packets were sent through their network in the first place. ISP B can attempt to recover their loss directly from malicious user Y.

The ISP *and* the customer are both victims in a DOS attack. Whoever runs the network which *initiated* the attack should be responsible.

People should be accountable

[chunkwhite86]

People should be accountable. If their PC is infected with a worm or virus which results in a large bandwidth bill, the customer is responsible to pay it. Afterall, the ISP has a bandwidth bill to pay too, and they certainly don't get a "service credit" just because your Windoze box has W32@Klez.

In addition, Making the people responsible for their personal worm/virus traffic would make folks would be more proactive about virus prevention and more cautious of which sites they visit. This IMHO is a Good Thing.

Another potential positive would be that people might start wondering "Why does my friend/relative who runs Linux never complain about viruses?" and "Gee with all these viruses that only affect microsoft products, maybe I should look elsewhere for my software needs."

At least in my state, you are responsible for your car's emissions. If your car is polluting above the state limit, regardless of the reason, it is your responsibility to fix it. They don't care what the reason is for your excessive emissions, whether it was rust, hungry chipmunks, incompetant redneck mechanics, or just a poorly built ford suv. And they have a system of mandatory repairs and/or fines in place to enforce this. This is a Good Thing.

How it works here

[ziegast]

I currently work for an ISP that offers shared and dedicated web services. The Terms of Service that the customer signs are pretty explicit about their being responsible for bandwidth usage.

A few notes about charging for bandwidth:

• As a hosting provider, we get charged for traffic in the greater of two directions - outbound. We don't normally charge customers for inbound bandwidth.
  
  
• We rate limit traffic from all servers to 10Mbps as a precaution to protect ourselves. Being a relatively small provider, it is VERY rare that we or a customer of ours runs a server that generates more than 1-2 MBps of traffic. Everyone has a 10/100 port though, so the potential for a customer (or a customer's hacked machine) to do damage is possible. If someone wants the rate limit removed, we warn them again that they are responsible for their traffic.
  
  
• We offer rate limiting to our customers if they are afraid about bandwidth costs. This might normally be a 1.5x the rate they're normally budgeting each month. Many customers find that rate limiting makes their site too slow, but riding a bike with training wheels is slow too (but you're less likely to fall down).
  
  
• We charge by GigaBytes per mo. It's easy to track in web logs and packet counters and customers can write scripts to monitor how much they've used during the month and take appropriate steps toward teh end of the month. This amounts to our charging for average (50th percentile) pricing. We charge enough so that even if they spiked at twice their average, we wouldn't lose money on our bandwidth costs. On average, though, we make money.
  
  
• If a customer doesn't pay, we shut them off and can take them to small claims court based on the TOS agreement.
  

These are some of the steps we use to protect ourselves and our customers. Your milage may vary.

(We use packeteer for rate limiting, but I keep eyeballing OpenBSD/AltQ/PF for both rate limiting and firewalling for our customers).