"Who should pay, ISP or customer?" is a slightly misleading question. ISP's are businesses trying to make a profit. If their costs go up, their customers will (directly or indirectly) foot the bill.
So the real question is "who should pay for each unexpected bandwidth consumption event - the person who owned the site that got hit, or all customers, indirectly?"
If the answer is "the person who owns the site", then if an individual becomes the victim of malicious or unpreventable attack, they lose out financially. This could be seen to be unfair.
If the answer is "all customers", then all customers lose out financially from the actions of a few customers who fail to manage their sites properly. So if I completely fail to patch my SQL server, get hit by Slammer, and claim that that's an malicious attack and not my financial responsibility, then every other customer pays for my laziness. That could be seen to be unfair.
The (apparently) fairest answer is a combination of the two - if I'm the victim of an attack, I shouldn't have to pay for the increased bandwidth and the whole community bears the cost; but if I fail to take appropriate action to prevent an attack/surge/whatever, it's my problem and I should bear the cost.
However, that answer means that the ISP has to define the criteria for what consitutes appropriate action, then police that. Which costs them a lot of money. Which the whole community pays for:-)
Disclaimers:
1) I don't work for an ISP
2) I don't even have a website
therefore
3) I probably don't know what I'm talking about:-)
Slashdot Mirror
So the real question is "who should pay for each unexpected bandwidth consumption event - the person who owned the site that got hit, or all customers, indirectly?" If the answer is "the person who owns the site", then if an individual becomes the victim of malicious or unpreventable attack, they lose out financially. This could be seen to be unfair. If the answer is "all customers", then all customers lose out financially from the actions of a few customers who fail to manage their sites properly. So if I completely fail to patch my SQL server, get hit by Slammer, and claim that that's an malicious attack and not my financial responsibility, then every other customer pays for my laziness. That could be seen to be unfair. The (apparently) fairest answer is a combination of the two - if I'm the victim of an attack, I shouldn't have to pay for the increased bandwidth and the whole community bears the cost; but if I fail to take appropriate action to prevent an attack/surge/whatever, it's my problem and I should bear the cost. However, that answer means that the ISP has to define the criteria for what consitutes appropriate action, then police that. Which costs them a lot of money. Which the whole community pays for :-)
Disclaimers:
1) I don't work for an ISP
2) I don't even have a website
therefore
3) I probably don't know what I'm talking about :-)