I think overall you have a good policy here. I do have one question, though: standing back and looking at it from the customer point of view, do you not regard pushing the onus of measuring bandwidth off to your customer an inappropriate one? I've spent most of my career running ISPs, and this has always been a "wrong" in my eyes.
Not knocking it by any means - in fact the best comparison is the phone company, who only provides me monthly statements of my long distance usage...in both cases the data is generated real-time and I think for something that can spike so dramatically in cost, the ISP should provide me a tool for monitoring this info instead of putting it upon me (I could monitor it - many could not).
Probably a combination of several answers given here. A little common-sense applies here...ultimately, I should be responsible for any bandwith which I had reasonable control over:
I should not be responsible for TCP traffic that is not ACK'd from my system (one-way traffic inbound, like a virus hitting my system, but my system doesn't respond because they are patched/unaffected). At that point, I believe the originating ISP is responsible for the costs incurred by my ISP, as they should detect and filter this from the source (force responsibility on the part of the ISPs, who will then try harder to police their users who don't accept the responsibilities of having systems on the net).
*if* the ISP wants to bill me for traffic that isn't ACK'd, they had better have a helluva response time on filtering the latest/greatest worm from my pipe
I should be responsible if I'm dumb enough to hang out SQL server and get Slammer, etc.. (ACK'd undesired traffic - I am responsible for my own systems!)
I am responsible for having more bandwidth used than I planned on for my exposed service (Slashdot isn't responsible for Slashdotting my site - I put it up there). One has to assume I am paying for burst because I want to handle unplanned traffic! Otherwise I wouldn't be on a burst pipe and I would probably be paying a flat fee anyhow.
The ISP should provide me an option to drop a certain percentage or deny all traffic above a threshold of sudden and sustained level unless I am alerted (email, phone call, pager, whatever) and can approve it - same principle as a bank...I can move any amount of money around I want, but a very large one-time transaction can have an authorization requirement (protection from the Slashdot effect)
So, I guess I really feel that the ISP and the user must share responsibility, depending on who "let" that traffic into the pipe.
Slashdot Mirror
Not knocking it by any means - in fact the best comparison is the phone company, who only provides me monthly statements of my long distance usage...in both cases the data is generated real-time and I think for something that can spike so dramatically in cost, the ISP should provide me a tool for monitoring this info instead of putting it upon me (I could monitor it - many could not).
- I should not be responsible for TCP traffic that is not ACK'd from my system (one-way traffic inbound, like a virus hitting my system, but my system doesn't respond because they are patched/unaffected). At that point, I believe the originating ISP is responsible for the costs incurred by my ISP, as they should detect and filter this from the source (force responsibility on the part of the ISPs, who will then try harder to police their users who don't accept the responsibilities of having systems on the net).
- *if* the ISP wants to bill me for traffic that isn't ACK'd, they had better have a helluva response time on filtering the latest/greatest worm from my pipe
- I should be responsible if I'm dumb enough to hang out SQL server and get Slammer, etc.. (ACK'd undesired traffic - I am responsible for my own systems!)
- I am responsible for having more bandwidth used than I planned on for my exposed service (Slashdot isn't responsible for Slashdotting my site - I put it up there). One has to assume I am paying for burst because I want to handle unplanned traffic! Otherwise I wouldn't be on a burst pipe and I would probably be paying a flat fee anyhow.
- The ISP should provide me an option to drop a certain percentage or deny all traffic above a threshold of sudden and sustained level unless I am alerted (email, phone call, pager, whatever) and can approve it - same principle as a bank...I can move any amount of money around I want, but a very large one-time transaction can have an authorization requirement (protection from the Slashdot effect)
So, I guess I really feel that the ISP and the user must share responsibility, depending on who "let" that traffic into the pipe.