Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?

Posted by Cliff on from the stuff-to-talk-about dept.

rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"

18 of 595 comments (clear)

  1. analogous to water/electric company IMHO by rdewald · · Score: 5, Insightful

    What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?

    --
    The best way to do is to be.
    1. Re:analogous to water/electric company IMHO by captain_craptacular · · Score: 5, Insightful

      Bad Analogy. The poster says customers dispute INCOMING bandwidth spikes. So the analogy would be more along the lines of someone sending a huge power surge through your lines un-announced and un-requested, then the power company attempting to charge you for it.

      I lean towards the consumer not having to pay, considering they didn't request the traffic and are therefore not resonsible for it.

      --
      They who would give up an essential liberty for temporary security, deserve neither liberty nor security
    2. Re:analogous to water/electric company IMHO by Fishstick · · Score: 5, Insightful

      Yep, I was thinking along the same lines. It's like having a drinking fountain outside your house for public use - you are expecting amybe 10-20 gallons monthly as people stop by and have a quick sip. Then, you get all pissed when your water bill comes and 5,000 gallons show up when the circus comes to town and all the clowns have used your water fountain to fill all their water baloons. :-)

      Do you then go ask for a credit from the utility because of the excessive/unexpected use?

      --

      There is much cruelty in the universe, John.
      Yeah, we seem to have the tour map.

    3. Re:analogous to water/electric company IMHO by jgerman · · Score: 5, Interesting
      No but what I do expect is to be able to set a turn off point for my site when bandwidth goes too high. Here's a for instance. I wasnted to put up a smallish site at WazooWeb (yes I actually clicked on a /. banner) for 6.95 a month it didn't seem like a bad deal, and 10GB of bandwidth seems more than enough. But what if I get /.'ed, or something equally remote happens that blows me over the limit. I want a way to say, once I'm at my limit shut me down for the month, unless I explicitly come in and say go ahead... I'll take the extra charges. It's not like I even want it on be default, I'm perfectly ok with setting the threshold myself.


      Of course my small scale situation may not translate to a large business account.

      --
      I'm the big fish in the big pond bitch.
    4. Re:analogous to water/electric company IMHO by DanEsparza · · Score: 5, Insightful
      I completely disagree. Bandwidth is analagous to people using roads (network connections). If roads are heavily used, they must be maintained, or they fall into disrepair. If network connections are heavily used, ISP's need capital to get bigger (or more) connections so that certain service levels can be maintained.

      We don't live in an (entirely) communist world. We don't get to pass out resources indiscriminately. We have a fixed amount of resources, and as with any case of supply and demand, the person holding the supply can (and should) charge for using the resource. In the case of network bandwidth, the resource is not obvious, but it is still tangible: It is network equipment and opportunity costs.

  2. Charge on sent traffic. by FirstManOnMoon · · Score: 5, Interesting

    Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.

    Alas, unless every ISP participated, this model wouldn't work well.

  3. Users just won't pay by drfuchs · · Score: 5, Insightful

    If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.

  4. Simple policy by cybermace5 · · Score: 5, Interesting

    Keep up to date on current worms and other bandwidth threats. Notify your customers about these threats, and provide information on how to eliminate or reduce the impact.

    Any massive bandwidth they log after that, is their responsibility. You notified them, and they did not listen.

    After a few incidents like that, they will start to listen to your warning messages.

    --
    ...
    1. Re:Simple policy by Croaker · · Score: 5, Interesting

      Err... the problem is customers are billed by the ISP for incoming bandwidth. How is a customer supposed to stop incoming packets from some pinhead's server that got itself infected with some virus? Is the ISP allowing them to setup a firewall outside the ISP to block this stuff? If not, then saying 'hey, there are some nasty viruses going around' is pretty much beside the point. There's nothing the customer can do to block those incoming packets before they are charged for them by the ISP.

      This is a thorny issue. The real answer is that the twit whose server got owned and is spewing garbage out on the net should be responsible for paying. But enforcing that is going to be a problem.

    2. Re:Simple policy by sweetooth · · Score: 5, Insightful

      Protecting yourself from an attack, such as code red, doesn't mean it doesn't still eat bandwidth. It's the same with anything. I noticed today that my mail server was a little slugish. I sshd into it checked the logs and saw the same bastard attempting to send spam to the server and tons of rbl lookups were taking place. So I added the various ip's to the firewalls blacklist. So now the mail isn't processed, but whatever program they are using doesn't even bother to check to see if the mail is being accepted, it just keeps spamming. So, I'm still having a fairly large percentage of my bandwidth being eaten because of a very inconsiderate individual. Stopping code red was the same. At one point I was logging thousands of attempts every day. They were not successful, but they still ate the bandwidth.

      I don't know what the solution to the problem is exactly. As it stands now I pay for any bandwidth used regardless of how or why it was used. It would be much better if those charges could be passed along to the person responsible for abusing your bandwidth, but how that could be enforced is beyond me.

      One thing I have to note here is that the person posing the question is talking about INBOUND spikes not outbound. So your points are even less relevant.

    3. Re:Simple policy by ADRA · · Score: 5, Interesting

      Here is a 'simple' policy as an ISP.

      If you are hosting business internet lines give the customers 2 options.

      1. Wide open internet. Nothing is filtered on the ISP end, as it stands today, and the customer is 100% liable for ANY traffic circulating between the internet and the customer, solicited or not.

      2. Abuse Managed Internet. Charge a fee to the customer per month, which get the customer:
      - Any abuse, aka DOS attempts removed from the monthly bandwidth
      - The ISP will filter abuse attempts before they occur, so if there is a code red floating around, allow a transparent proxy / firewall throw the packets away before it causes your customers harm.
      The trade off for the customer is more assured price, and quality of service for the price of flexability and a nominal charge.

      --
      Bye!
  5. It's in the contract by eagle486 · · Score: 5, Insightful

    The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.

  6. In other words by djKing · · Score: 5, Insightful

    Should /. pay the bill for the /. effect?

    -Peace

    --
    Free as in "the Truth shall set you..."
    1. Re:In other words by unicron · · Score: 5, Interesting

      I've always wondered about that. If you had your business on the net, and /. linked to it, causing it to go down, would /. be liabel? Assume the following before replying:

      */. did NOT warn the page
      *The page in question NEVER receives the amount of traffic necessary to bring it down.
      *Let's assume it happened on a Saturday, when they had minimal support
      *The company can PROVE they lost revenue. /. can't really play dumb, they HAVE TO know the /. effect is going to be too much for a page. It can almost be called a DoS attack at this point.

      --
      Finally, math books without any of that base 6 crap in them.
  7. Balanced response. by gehrehmee · · Score: 5, Insightful

    Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.

    Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.

    This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.

    If they're not willing to do what's required of them, they'll get stuck paying for it.

    --
    "You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
  8. Monitoring and Opting Out by pbryan · · Score: 5, Interesting

    My previous employer was unfortunate enough to be attacked by a series of distributed ICMP ping flood attacks. Our bill jumped from under $1K per month (Canadian) to over $10K in less than a day.

    We adjusted our monitoring process to detect these spikes early and contact our ISP to deny traffic from the offending subnets. Luckily, our ISP was willing to do this, even though they still incurred traffic from inbound packets. Luckily, these attacks originated from a few subnets that could be isolated.

    As a further kludge, we eventually disabled ICMP altogether on our routers, and lived without ping and traceroute.

    Having a host on the net is a risky proposition. You pay for inbound and outbound traffic, regardless of the source, packet type, or quantity. DDoS attacks can not only prevent your server from being accessable, they could literally bankrupt you if you become a target and don't take preventative measures.

    Hmm... One click bankruptcy. I wonder if anyone has tried to patent this yet...

    Our ISP was technically capable of detecting and thwarting various attacks. Ultimately, the policy of monitoring and contacting an ISP when traffic exceeds a certain threshold seems like a workable solution for average co-locaters.

    Given the architecture of the Internet, it's difficult to see how we could shift the burden to pay away from the server to the client. It seems like a problem remarkably similar to the problem of spam.

    --

    My car gets 40 rods to the hogshead, and that's the way I likes it!

  9. Just like in real life by raarts · · Score: 5, Interesting

    Suppose you live on a crosspoint of several countries. Your house happens to be located in a dangerous curve on the road. Also for some reason your house looks to some kiddies like it asks to be vandalized.

    For these reasons you get a lot of breakin attempts, occasionally a truck crashes through your walls. All this is not only by people from your own country, but from neighbouring countries as well.

    You install warning lights and other measures so cars and trucks don't come in crashing. You call the police when kiddies vandalize your home, but they says they can't do anything.

    All this costs you a lot of money and headaches.

    In real life there are several ways to defend yourself:

    • taking your own safety measures as can reasonably be expected from a houseowner
    • get insured for the unexpected
    • trust the police the catch criminals
    • trust international law enforcement for border-crossing crimes

    Now apply these principles to your hosting server.

    • Of course you should take every precaution within reason to prevent your server from being hacked (keep it up to date folks)
    • Get an insurance for unexpected costs. I'll bet insurance companies could do well here
    • Trust the cops for catching the script kiddies and real criminals. Alas, the police is hopeless understaffed and low on resources for these new crimes. Also legislation is lagging behind
    • International laws? Don't count on it. Same as above, but worse.

    Suppose your house is rented. Is the person renting you the house responsible for every breach? Did he warn you before you signed the contract? Is it his responsability to call you every time some vandals are passing on the road? Or some truck may crash into your home?

    Of course your ISP can warn you for every threat that may be coming, but what if there's no warning time? Or he misses a small thing that happens to affect your server bigtime? Is the ISP really responsible?

    Be careful out there...

  10. Hrm by pclminion · · Score: 5, Interesting
    Well, here's the scenario people seem to be putting forth:

    ISP A has customer X. ISP B has malicious user Y. Malicious user Y sends huge quantities of packets to user X.

    The question seems to be, should ISP A eat the cost, or should customer X eat it? Why the hell are those the only two options?! It seems to me like ISP *B* should eat the cost, since the malicious packets were sent through their network in the first place. ISP B can attempt to recover their loss directly from malicious user Y.

    The ISP *and* the customer are both victims in a DOS attack. Whoever runs the network which *initiated* the attack should be responsible.