Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?

Cliff posted more than 11 years ago | from the stuff-to-talk-about dept.

The Internet 654

rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"

Sorry! There are no comments related to the filter you selected.

1? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5452935)

prost frist?

Re:1? (-1)

Salad Shooter (600065) | more than 11 years ago | (#5452953)

Hello you fucking moronic cunt.

How about you keep your ignorant first post shit to yourself? Like anyone gives a fuck about a little bitch like you.

Re:1? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5453013)

Sounds like someone needs a reassurance pat... there ya go, big fella.

Re:1? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5452973)

I would like to use this first post to give shouts out to everyone.

IN SOVIET RUSSIA (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5452941)

Bandwidth penalizes YOU!!!

Niggaz pay (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5452945)

Nigga you pay.

analogous to water/electric company IMHO (5, Insightful)

rdewald (229443) | more than 11 years ago | (#5452946)

What happens to you if someone runs an extension cord from your house or if you spring an unknown water leak? You get a huge bill and you fix the problem. How is this different?

Re:analogous to water/electric company IMHO (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5452990)

Well, it's different because I had sex with a black African rhino named Frederick Johnson III. Afterwards I was infected with HIV. That is how this is different.

Re:analogous to water/electric company IMHO (4, Funny)

prator (71051) | more than 11 years ago | (#5453017)

Not a very good analogy. More like you have an electrical socket outside your house, and you have a sign that says, "Use me". Then you get upset when the circus comes to town and powers everything off your socket.

-prator

Re:analogous to water/electric company IMHO (5, Insightful)

Fishstick (150821) | more than 11 years ago | (#5453113)

Yep, I was thinking along the same lines. It's like having a drinking fountain outside your house for public use - you are expecting amybe 10-20 gallons monthly as people stop by and have a quick sip. Then, you get all pissed when your water bill comes and 5,000 gallons show up when the circus comes to town and all the clowns have used your water fountain to fill all their water baloons. :-)

Do you then go ask for a credit from the utility because of the excessive/unexpected use?

Re:analogous to water/electric company IMHO (2, Interesting)

rdewald (229443) | more than 11 years ago | (#5453181)

My thought was that the credit back would then be handled on a case-by-case basis. I have had water leaks, discovered them via my bill, fixed them, and then asked for and received credit. I doubt I would have gotten the same credit for the following month.

This would be another way to encourage people to patch and protect publicly available servers--which is in everyone's interest (cf. slammer).

Re:analogous to water/electric company IMHO (1)

bradams (241228) | more than 11 years ago | (#5453022)

...if you spring an unknown water leak?

When I had a water leak, the water co. ask for the bill from the plumber and gave me a credit on my bill.

Re:analogous to water/electric company IMHO (1)

k_stamour (544142) | more than 11 years ago | (#5453026)

Agreed, Patch your Pipes downstairs and Patch your servers...... Hard not to see it any other way. I guess it would heavily rely on the definition of a "leak" or malicious event in the SLA. Also who's onus it is to keep their boxes up to date, and if not up to date, is the ISP responsible for the Spike on the last /32 segment. I would say it comes down to the (Devil in the) details of the SLA....

Re:analogous to water/electric company IMHO (5, Insightful)

captain_craptacular (580116) | more than 11 years ago | (#5453080)

Bad Analogy. The poster says customers dispute INCOMING bandwidth spikes. So the analogy would be more along the lines of someone sending a huge power surge through your lines un-announced and un-requested, then the power company attempting to charge you for it.

I lean towards the consumer not having to pay, considering they didn't request the traffic and are therefore not resonsible for it.

Re:analogous to water/electric company IMHO (2, Insightful)

macrom (537566) | more than 11 years ago | (#5453082)

It's different because stealing electricity is, in most place, a crime. If you can prove that your neighbor used your electric line to power his house, some sort of authority would go after the other party. Granted, your only recourse may be in small claims court, but you would still have a way to recoup your losses.

A virus or other Internet contaigon could come from somewhere waaaay outside your jurisdiction. If some server in China is constantly bombarding your incoming pipe with virus activity, bogus web requests, port scanning, etc. then you're stuck footing the bill.

With all of this said, I think ISPs should provide some sort of insurance to their burstable customers. You could get so much bandwidth per billing cycle but leave room for error in the event your customer can verify that they received "hacker traffic" or somesuch. Perhaps even build in clauses that say the end-user is required to notify the ISP of problematic access within a certain timeframe, that way they can take action further up the pipe to block said packets.

If a user, however, comes up at the end of the month and complains about lots of unwanted traffic, well, hire an admin to look after your connection and come see us next month.

Re:analogous to water/electric company IMHO (2, Insightful)

Enry (630) | more than 11 years ago | (#5453146)

This is incoming bandwidth - that is, the customer may be fully patched, but the bursts are coming from outside the network. This would be more analagous to the electric company hitting sending 220V (or 440v) to your house for two days. Who's at fault, them for allowing a change in what is coming down the pipe, or you for not protecting each piece of equipment in your house? At best, it's a combination. The electric company should know better than to give you more than you know you need, and you should not rely on someone else to protect your gear.

The only way to really take care of this is to put a firewall in front of the box doing the metering. If the firewall rules are written properly, things like the MSSQL bug won't make it past the firewall.

Your wife (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5452949)

I came in her cunt! Enjoy your new kid!

Re:Your wife (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5453004)

No, that was my 9 year-old daughter.

NO, IT WAS MICHAEL'S ASS (0)

Anonymous Coward | more than 11 years ago | (#5453075)

no text

Insurance (0, Redundant)

somazero (306124) | more than 11 years ago | (#5452962)

Could this somehow be insured?

Re:Insurance (1)

Gortbusters.org (637314) | more than 11 years ago | (#5453036)

Sounds like an interesting money-making idea you got there. Hmmm Slashdot spam insurance, ensure that your site will never get slashdotted!

Re:Insurance (1)

fritz (5973) | more than 11 years ago | (#5453117)

And if so, who is the right person to buy the insurance, the hosting company or each of its hundreds or thousands of users?

I'd say the hosting company is in the best position either to self-insure, or to find some kind of insurance if that's necessary.

I think (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5452963)

You should suck their dick and swallow the cum

I think you're right about insurance (0)

Anonymous Coward | more than 11 years ago | (#5452965)

In fact, I should start selling hosting insurance. It could cover bandwidth overuse due to worms, plus backup restoration costs due to system failure... ooohh... $$$!

Charge on sent traffic. (5, Interesting)

FirstManOnMoon (613282) | more than 11 years ago | (#5452966)

Every ISP should base charges only on how much traffic you send. That would give people a real incentive to keep their systems patched and secured. You wouldn't have to pay a ridiculous amount if you're on the receiving end of a DOS. You would have to pay if your systems get hacked or catch a worm though.

Alas, unless every ISP participated, this model wouldn't work well.

Re:Charge on sent traffic. (0)

unicron (20286) | more than 11 years ago | (#5453045)

I disagree. All ISP's should charge a flat monthly rate, regardless of whether I push 2k or 2 terrabytes. Just block outgoing 21 and 80 to eliminate warez servers, and it should be fine. Not everyone on the ISP is going to be pulling MP3's 24/7, so the bandwidth used wouldn't be that overwhelming.

Re:Charge on sent traffic. (0)

Anonymous Coward | more than 11 years ago | (#5453088)

"Just block outgoing 21 and 80 to eliminate warez servers"

http://mysite.com:81/warez.html

ISPs should charge a flat monthly rate, because customers in general (and business customers in particular) don't like signing blank cheques, which is what a 'per megabyte' charge is.

A Blend of the two? (2, Insightful)

rblancarte (213492) | more than 11 years ago | (#5453096)

Perhaps the best solution would be to impliment a flat rate that under which, you would just pay a set amount per month. If you exceeded this, then you would pay on a burst billing method for the bandwidth beyond that.

The real question becomes where do you set the line? But that could be determined by the average user usage, perhaps a study could be done over the course of a few months to see where people fall on this whole thing.

RonB

Re:A Blend of the two? (1)

unicron (20286) | more than 11 years ago | (#5453136)

I'm with Cox, and while I've heard they have a 6gb down limit, I question whether not it's enforced. I pulled half-a-dozen ISO's in a single weekend once, like 12-15gb, and I never heard a peep from them about it.

Re:Charge on sent traffic. (1)

FTL (112112) | more than 11 years ago | (#5453112)

> Just block outgoing 21 and 80 to eliminate warez servers, and it should be fine.

Huh? Since when [digitalroutes.co.uk] do web servers have to be on port 80? Same with FTP.

Users just won't pay (5, Insightful)

drfuchs (599179) | more than 11 years ago | (#5452967)

If someone steals my credit card number, the credit card company won't even charge me the $50 that they have the legal right to. I doubt that ISPs will be able to fare any better.

Re:Users just won't pay (0)

Anonymous Coward | more than 11 years ago | (#5453071)

but on the other end of that, if you didnt report your card/dispute charges you didnt make 60 days after (maybe 90) you can be liable for the full amount.

so if someone doesnt patch their server 90 days later, it seems similar.

that $50 charge only comes in when you lost your card, not just the number

Re:Users just won't pay (4, Informative)

Gaijin42 (317411) | more than 11 years ago | (#5453089)

Thats because they pass that cost on to the vendor, for not validating enough information about who the purchaser was.

The CC company doesn't eat that. The vendor does for accepting the stolen card

Re:Users just won't pay (0)

Anonymous Coward | more than 11 years ago | (#5453109)

But that's because the CC companies stand to lose business if they admit that their systems are vulnerable to fraud. It's just a PR decision.

The customer always pays (3, Insightful)

chrisseaton (573490) | more than 11 years ago | (#5452968)

You could let them think that you were "eating the cost", but everyone ones it would simply be passed to the customers in the end.

Re:The customer always pays (0)

Anonymous Coward | more than 11 years ago | (#5453093)

Gee, why didn't the poster provide a web page URL as reference?

POsting it up in this biatchchch!!! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5452969)

fuckadoodle-doo, here it comes!!! open wide bitches!!!1!!!

Simple policy (5, Interesting)

cybermace5 (446439) | more than 11 years ago | (#5452978)

Keep up to date on current worms and other bandwidth threats. Notify your customers about these threats, and provide information on how to eliminate or reduce the impact.

Any massive bandwidth they log after that, is their responsibility. You notified them, and they did not listen.

After a few incidents like that, they will start to listen to your warning messages.

Re:Simple policy (5, Interesting)

Croaker (10633) | more than 11 years ago | (#5453081)

Err... the problem is customers are billed by the ISP for incoming bandwidth. How is a customer supposed to stop incoming packets from some pinhead's server that got itself infected with some virus? Is the ISP allowing them to setup a firewall outside the ISP to block this stuff? If not, then saying 'hey, there are some nasty viruses going around' is pretty much beside the point. There's nothing the customer can do to block those incoming packets before they are charged for them by the ISP.

This is a thorny issue. The real answer is that the twit whose server got owned and is spewing garbage out on the net should be responsible for paying. But enforcing that is going to be a problem.

Re:Simple policy (1)

cybermace5 (446439) | more than 11 years ago | (#5453157)

The real answer is that the twit whose server got owned and is spewing garbage out on the net should be responsible for paying. But enforcing that is going to be a problem.

Precisely.

And that's what will happen, if the situation is handled as I posted above.

Of course the ISP should do its best to block well-known attacks.

Re: Simple policy (1)

rblancarte (213492) | more than 11 years ago | (#5453164)


How is a customer supposed to stop incoming packets from some pinhead's server that got itself infected with some virus?
Easy, recognise what is coming in and then either shut down your connection or turn off your computer.

RonB

Re:Simple policy (5, Insightful)

sweetooth (21075) | more than 11 years ago | (#5453097)

Protecting yourself from an attack, such as code red, doesn't mean it doesn't still eat bandwidth. It's the same with anything. I noticed today that my mail server was a little slugish. I sshd into it checked the logs and saw the same bastard attempting to send spam to the server and tons of rbl lookups were taking place. So I added the various ip's to the firewalls blacklist. So now the mail isn't processed, but whatever program they are using doesn't even bother to check to see if the mail is being accepted, it just keeps spamming. So, I'm still having a fairly large percentage of my bandwidth being eaten because of a very inconsiderate individual. Stopping code red was the same. At one point I was logging thousands of attempts every day. They were not successful, but they still ate the bandwidth.

I don't know what the solution to the problem is exactly. As it stands now I pay for any bandwidth used regardless of how or why it was used. It would be much better if those charges could be passed along to the person responsible for abusing your bandwidth, but how that could be enforced is beyond me.

One thing I have to note here is that the person posing the question is talking about INBOUND spikes not outbound. So your points are even less relevant.

Re:Simple policy (0)

Anonymous Coward | more than 11 years ago | (#5453107)

That's great and all, but still doesn't stop the onslaught of traffic when one is targeted by infected machines.

Perhaps the ISP should pay a bit closer attention and stop traffic of that manner at the main router before it hits the servers? A simple IDS system should be able to detect 10,000 packets in the last 30 seconds from the same IP?

Re:Simple policy (1)

ArsonPanda (647069) | more than 11 years ago | (#5453160)

Keep up to date on current worms, Notify your customers about these threats

So according to your plan, sience the slammer bit took all of what, 10 minutes to reach 85% saturation, the ISP would not have had time to warn their customers, and would thus be responsible for footing the bill. Right?

Re:Simple policy (1)

cybermace5 (446439) | more than 11 years ago | (#5453193)

No no no...the ISP's policy is that they aren't responsible for attacks. But they do their best to warn customers of avoidable bandwidth suckers like a hundred employees forwarding Melissa around.

It's not the ISPs responsibility (3, Insightful)

Mustang Matt (133426) | more than 11 years ago | (#5452979)

It sucks for them, but it's their server on the net and their responsibility to pay for the bandwidth used.

ISPs (1)

maximillianarturo (655330) | more than 11 years ago | (#5452989)

"What? You were charged for that... oh wait... that's the... "internet tax"... you don't like it, write a letter to your congressman..."

It's up to the ISP (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5452991)

If you are an ISP and you want to charge people for bandwidth caused by worms and DoS attacks, put that in your user agreement. If you are willing to swallow the cost of attacks, put that in your agreement. There's no need for regulations or insurance yet.

The solution (-1, Troll)

cmdr_shithead (527909) | more than 11 years ago | (#5452992)

They are not cooperating. They are deceiving us, and they are undemocratic terrorists, and they have dark skin.

Thank Jesus Christ for useable nuclear weapons.

If you don't agree with me, you're evil!

That depends on what service he has with you (2, Insightful)

dawime (29644) | more than 11 years ago | (#5452996)

Is he hosting something on your servers or he has a box co-located? I would say he is responsible if he has to administer his box - otherwise, the ISP should bear the costs

my suggestion (1)

Stanley Feinbaum (622232) | more than 11 years ago | (#5452997)

A class action lawsuit directed at MS on behalf of all the ISP's who have been flooded with viruses and lost money due to security holes in MS's products.

Re:my suggestion (1)

Jason1729 (561790) | more than 11 years ago | (#5453121)

Take on MS in the courtroom? That's where they're best.

Jason
ProfQuotes [profquotes.com]

Re:my suggestion (0)

Anonymous Coward | more than 11 years ago | (#5453135)

Followed by a class action for all the sysadmins who can't apply a patch within six months of it being released.

slam this (0)

Anonymous Coward | more than 11 years ago | (#5453000)

you whiney bandwidth sucking basterdz!

you could host on angelfire, or you could learn to secure your site against these kinds of attacks by sniffing more glue.

thats what i did. my bandwidth bill was so low last monghth...

Communication (1)

DonkeyJimmy (599788) | more than 11 years ago | (#5453003)

It is the job of the ISP to properly communicate to its customers the dangers of being on the web.

On one hand, if the ISP says that it is not accountable for attacks and internet slowdowns that it has no control over, then the people shouldn't expect anything when they happen. On the other hand, if the ISP uses this communication as an excuse not to protect itself properly against such attacks, then the customer should take his buisness elsewhere or be properly reimbursed for their losses.

Were the patches applied? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5453005)

A few different issues here:

- yes, in genral, they should be responsible for their bandwidth ... but if a big customers is going to walk over it, you need to make the right business decision
- even with something as simple as MRTG they should be able to have an idea of whether or not the service provider is billing correctly on burstable stuff
- if they haven't applied patches, then i can't see how a consumer of bandwidth could have any argument at all

It's in the contract (5, Insightful)

eagle486 (553102) | more than 11 years ago | (#5453010)

The customer pays what is in his contract. Make the language very explicit. There is no reason the ISP should eat it.

a physical location auction market. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5453011)

I hump dead babys!

In other words (5, Insightful)

djKing (1970) | more than 11 years ago | (#5453015)

Should /. pay the bill for the /. effect [techtarget.com] ?

-Peace

Re:In other words (5, Interesting)

unicron (20286) | more than 11 years ago | (#5453103)

I've always wondered about that. If you had your business on the net, and /. linked to it, causing it to go down, would /. be liabel? Assume the following before replying:

*/. did NOT warn the page
*The page in question NEVER receives the amount of traffic necessary to bring it down.
*Let's assume it happened on a Saturday, when they had minimal support
*The company can PROVE they lost revenue. /. can't really play dumb, they HAVE TO know the /. effect is going to be too much for a page. It can almost be called a DoS attack at this point.

We Always Pay (1)

Snagle (644973) | more than 11 years ago | (#5453018)

Whether it is our fault or not, we will be paying for it. You can't expect the ISP to just pay the costs when they could charge their customers instead.

IN SOVIET RUSSIA (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5453029)

YOU pay Cornell University [slashdot.org] bandwidth bill!

contract... (3, Interesting)

perlchild (582235) | more than 11 years ago | (#5453035)

Considering the variety of bandwidth providers, acceptable terms of service(TOS) and all that, eventually, it will become a matter of taste, preference and terms that can be agreed with. How many subscribers want traffic shaping, inbound or outbound on their interface? Wouldn't customers PAY for making sure that the only traffic spikes they can get are mail or http related? I'm sure a lot of my hosting clients would love a system where they pay for the bandwidth they use, but that limits are in place to make sure excessive bandwidth usage is actually the usage they pay for.

Since DiffServ and other standards based solutions are ready to be implemented, perhaps you should consider talking to your most whiney clients about it?

Yes I know it doesn't apply to all clients, and not every provider has the extra router/switch cpu power to implement them on all links...

But wouldn't such a solution be a good way to keep the more demanding clients(increasing the value they get: bandwidth for the right traffic) and decreasing the tax hackers and Distributed DOS and misconfigured systems make them pay (for undesirable traffic). Maybe you should suggest this as a customer retention measure, for those clients where it makes business sense.

Look at your audience! (1)

pgpckt (312866) | more than 11 years ago | (#5453037)

Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"

Your asking this of slashdot? The literal definition of the slashdot effect?

Eat it. (0)

Anonymous Coward | more than 11 years ago | (#5453038)

I think that conditions that are beyond the control of the user shouldn't have to be payed for by the user. Instead, a more logical responce would be to procecute the writer of the malicious code for additional costs that the ISP has to pay. Did the user do anything to warrant the jump in bandwidth? No. Did the ISP? No. The coder/hacker, however, did. This would also serve as a VERY strong deturant for writing worms (such as Code Red, Slammer, etc.).

Heads up. (1)

FTL (112112) | more than 11 years ago | (#5453050)

The chief problem with billing according to bandwidth use, is that most users aren't keeping track of their bandwidth usage. Everyone has a feel for how much electricity they use, how much gas (petrol) they guzzle and how much their long distance bill is likely to be. But in general, people can't see the bandwidth being used.

I propose that ISPs who wish to charge by the byte need to develop a systemtray icon (or equivalent) that allows the user to see the accumulated traffic. Then there won't be any (or as many) surprises.

Re:Heads up. (0)

Anonymous Coward | more than 11 years ago | (#5453148)

most provide a bandwidth utilization meter, just visit xyz url

The place where I colo.... (2, Interesting)

WickedLogic (314155) | more than 11 years ago | (#5453051)

... which advertises on ./ all the time. Called me to warn me about the latest sql worm even though they saw on the optional order form that I was using BSD operating systems. They then offered to filter traffic on those ports until the issue died down so I wouldn't get charged.

I was happy they cared and they where happy to have me care enough about them and me not to run M$.

Re:The place where I colo.... (1)

cybermace5 (446439) | more than 11 years ago | (#5453115)

Do I hear wedding bells?

To eat or not to eat (3, Interesting)

binaryDigit (557647) | more than 11 years ago | (#5453053)

Well, on the one hand you have the credit card company model. They eat unauthorized charges all the time, and generally it is a good thing. Phone companies and other utilities do a similar thing, if you can prove the fraud, then they generally cut you some slack (though they might make you work for it). I think that this is a workable "consumer" friendly model. I think that generally, if one had a choice between two isp's and one said we're gonna charge you no matter what, and the other said that we won't charge you for malicous use, assuming you can prove it, then I think that the choice would be obvious (price comparos not withstanding of course).

Re:To eat or not to eat (0)

Anonymous Coward | more than 11 years ago | (#5453162)

Well, on the one hand you have the credit card company model. They eat unauthorized charges all the time, and generally it is a good thing

I think the store that sold the goods is the one that gets stuck with most of the unauthorized charges, not the credit card company.

Re:To eat or not to eat (0)

Anonymous Coward | more than 11 years ago | (#5453186)

Actually,they don't "eat" the charges. Losses are figured into the calculation for interest rates (apr).

For stores that sell merch. to fraud cards, they lose merch. if the card company rescinds credit, so the store has to markup to cover their loss.

So,the consumer still pays in the end.

Re:To eat or not to eat (1)

travisd (35242) | more than 11 years ago | (#5453188)

The Credit Card Co's don't "eat" shit - they gladly deduct from the merchant what they credit back to the consumer. It's ultimately the merchant that's out the $$ and/or product from an "unauthorized" transaction.

simple (2, Insightful)

sydlexic (563791) | more than 11 years ago | (#5453054)

I think it's simple to say you're responsible for your outbound traffic. If your machines are compromised, you should eat the bill for the traffic they generate. On the other hand, if you receive some wave of unwanted inbound traffic, you should definitely not be liable. Even a dropped UDP packet takes bandwidth.

In fact, I'd prefer a pricing model that is fixed for inbound and metered on the outbound. It puts a financial burden on spammers, copyright violators and the tragic/stupid victims viruses. On the other hand, if you've got something to sell, you should be more than happy to pay for bandwidth used to move that merchandise.

This is a good question! (1)

FyRE666 (263011) | more than 11 years ago | (#5453057)

I've been thinking about this for a while - on the one hand, I wouldn't like to get a bill if one of my sites were getting DOS'ed to hell, but on the other hand I believe there should be an effort to make spamvertised sites pay by drinking their bandwidth dry en-masse.

As for slammer, the idiots running the servers with open ports to the databases should pay for their bandwidth - serves them right. Hell, they're already wasting money licensing the World's least secure web server, so why not throw a little more into the trashcan?

You do (1)

Unominous Coward (651680) | more than 11 years ago | (#5453060)

It's pretty obvious when you think about it. Bandwidth isn't free and ultimately, all internet users end up paying indirectly.

The same way that taxpayers all end up paying for the bungles of politicians.

Balanced response. (5, Insightful)

gehrehmee (16338) | more than 11 years ago | (#5453062)

Give them a complete or partial rebate, the first time, and have a set of "How can I protect myself?" documentation ready for the user. Email it to them, mail it to them, fax it to them, whatever it takes to get them to read it.

Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.

This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.

If they're not willing to do what's required of them, they'll get stuck paying for it.

it depends... (1)

thrillbert (146343) | more than 11 years ago | (#5453066)

is there such a thing as OC/48 bandwidth throttling?

As far as I know, which is very little, there is no such thing. You get 2gbps and that's the end of it.. there's no such thing as "it's burstable to 10gbps..yada yada yada".. but why is the poor guy who can barely afford the T-1 getting penalized?

Just my opinion.. everyone has one.. I got more than most.. :)

---
You can't judge a book by the way it wears its hair.

Re:it depends... (1)

DJ FirBee (611681) | more than 11 years ago | (#5453191)

If it is ATM than you can bet there is throttling. Just put everything in different classes of service.

ATM can do bandwidth throttling(sp) better than a frame relay network can, in fact most frame relay networks are transported internally between long distance switch sites on ATM gear. In MCI it was Cisco Stratacom and the infinitely cooler FORE ATM switches.

The guy with the T1 gets penalized because.

ha.

Thats a good question... (1)

dragontooth (604494) | more than 11 years ago | (#5453077)

I think it depends on what kind of services you give your clients. For instance if you are offering shared hosting and the client gets killed by bandwidth baddies I would think it is the ISP's fault for not protecting the equipment. However if you are providing colo or complex colo and are merely providing bandwidth, then the client should be responsible for every byte of traffic that goes in and out. They are responsible for the hardware and software. How can the company be expected to look after that?

I work for a managed service provider. We would never charge our clients for the slammer virus if it had affected them (fortunately it didn't) but our colo customers would be looking at a very large bill about now.

Paying for Bandwidth (1)

bmcdarby (648224) | more than 11 years ago | (#5453079)

I think the customers in this case have the right to complain about paying for bandwidth that through no fault of thier own (and I stress if they are not at fault).

Ultimately the ISP should cover for such worm attacks but I can well understand why they might not want to. It sounds like it would be a good area for insurance.

That's silly! (0)

Anonymous Coward | more than 11 years ago | (#5453085)

: one has to realize the consequences (and the implications of burstable billing

I don't see how people can be wholely responsible for their incoming bandwidth without being able to shape their traffic at their ISP's side of the pipe.

OT: What makes up bandwidth costs? (3, Interesting)

Platinum Dragon (34829) | more than 11 years ago | (#5453090)

I've always wondered where the cost for bandwidth comes from. I've assumed it is related to equipment and line maintenance, costs for professionals to maintain the equipment and expand the networks, and new equipment and housing.

Can someone give me an idea of where the price for bandwidth ultimately comes from?

Different cost model (1)

ByTor-2112 (313205) | more than 11 years ago | (#5453091)

I personally think that the current model for bandwidth needs to be changed. Right now the bandwidth providers are eating from both ends of the stick and laughing all the way to the bank. But the fact remains that many sites are not able to pay their bandwidth bills. If content on the net is disppearing, so will users.

I would propose that content providers be given free bandwidth provided by the telcos since, after all, they are the reasons people like me pay for broadband. In effect, the consumers will subsidize the cost of the content providers. After all, that's what you really pay that $20-50/mo for... The content!

NO! For the love of CowboyNeal, no! (0)

Anonymous Coward | more than 11 years ago | (#5453147)

I have but one question - what constitutes a content provider?

Should a system such as you propose ever come into existance, it'll be time for Internet 3, because the first one will have gone to hell in a bit bucket.

Liability = Incentive to be vigillant (2, Insightful)

Edball (611096) | more than 11 years ago | (#5453094)

You know, it seems to me that if Individuals are held liable for bandwidth issues stemming from malicious users, it provides a pretty good incentive to keep their systems up to date with the latest patches.

It also would cause Individuals to generate greater pressure on Distributors to get patches out and visible to the general public. If the general public took more of an interest in internet security, there'd potentially be much fewer DDos Zombies out there.

There's nothing quite as eye-opening as a huge bill sitting on the table staring back at you.

And that's my 2 cents.

Throttle (2, Interesting)

hajo (74449) | more than 11 years ago | (#5453098)

If you work on the ISP side you should be able to throttle bursts of bandwidth with the consent of your users. Should they decline to be throttled then you should be able to charge. Why aren't you throttleing bandwidth right now. A thousandfold increase in bandwidth use should raise suspicions unless the iste was mentioned on slashdot ;-)

If you control, you are responsible (2, Informative)

jrpascucci (550709) | more than 11 years ago | (#5453123)

If you are a co-loc provider, where the person configures and runs their own machine and firewall and can take steps to minimize this sort of attack, then you have no responsibility: you are merely providing bandwidth.

If you control shared servers and/or if you do not give users a configurable blocking mechanism (firewall, IP addr/range blocker, for web services a bogus URL block or the ability to ban individuals who spam sites) then you are, in fact, responsible for the bogus bandwidth usage.

Anyone else? (1)

jforr (15487) | more than 11 years ago | (#5453128)

Anyone else look at the title and immediately think this could be the first back to back dupe?

Root access and dedicated servers (1)

Centinel (594459) | more than 11 years ago | (#5453132)

Dunno about your specific setup, but I would find it perfectly reasonable for hosting companies who rent dedicated servers and colocation facilities to make it customer responsibility and expect customers to patch their systems against such vulnerabilities.

After all, they have root access on the box. They're the admin.

For that matter, it should the customer's ass, not the host's if they get r00ted.

Sort of things that should be in writing in the hosting contracts, IMHO.

Inter ISP charges? (0)

Anonymous Coward | more than 11 years ago | (#5453138)

There are reasons to go both ways on this one. One one hand if
someone descides they don't like you on IRC and ping floods you a gigabyte, they charges for incoming bandwidth are not nice.

On the other hand charging everyone for outgoing bandwidth only, leaves operators of websites with a big bill which banner ads don't cover anymore.

I'd like to know which way charing goes in practise. If I got a fat connection to a big ISP or a big internet exchange, how would it usually be billed? Total traffic, incoming traffic,outgoing traffic, flat rate or based on content eg does it matter if I am search engine sending out content that people want or if am I feeding a load of web surfing end users getting conectn from others.

It Depends (2, Interesting)

Herkum01 (592704) | more than 11 years ago | (#5453139)

If you want to keep that customer, you do what it takes to keep the customer. Remember the golden rule, 1 bad customer experience gets passed onto 20 people. If you think that this customer is going to put with this, fine go ahead and charge them. If you don't you should suck it up. If they leave, not only will the money that you get from them goes to zero, but they will bad mouth you to enough other people that it does have a negative impact on you attempting to acquire more customers.

In other words, be a good guy, suck it up and the customer will trust you more the next time you attempt to raise their bill. Blow them off and the only that you might get from them is the finger.

Re:It Depends (2, Insightful)

josh crawley (537561) | more than 11 years ago | (#5453203)

---Blow them off and the only that you might get from them is the finger.

If they're part of an ISP, they probably have already got FINGERD.

Yeppers (0)

Anonymous Coward | more than 11 years ago | (#5453155)

Plain and simple, the customer needs to pay for the bandwidth they used.

However a simple "You're exceeding your commit rate. What's going on?" works wonders. The thing is - do it as soon as you see it - not with an excessive bill at the end of the month.

Sign me up (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5453159)

Only muslim terrorists subscribe to Slashdot.
A towel is not a hat.

this is why the buffet model works best (1)

Merlinus (8023) | more than 11 years ago | (#5453163)

This is why bandwidth at an "all you can eat" rate per month is best. This is why the Internet took off so much faster in the US than elsewhere in the world - local phone calls are free with a monthly bulk rate. Trying to break down the cost by quantity is fraught with complex issues that just aren't worth the trouble compared to a flat rate.

Monitoring and Opting Out (5, Interesting)

pbryan (83482) | more than 11 years ago | (#5453169)

My previous employer was unfortunate enough to be attacked by a series of distributed ICMP ping flood attacks. Our bill jumped from under $1K per month (Canadian) to over $10K in less than a day.

We adjusted our monitoring process to detect these spikes early and contact our ISP to deny traffic from the offending subnets. Luckily, our ISP was willing to do this, even though they still incurred traffic from inbound packets. Luckily, these attacks originated from a few subnets that could be isolated.

As a further kludge, we eventually disabled ICMP altogether on our routers, and lived without ping and traceroute.

Having a host on the net is a risky proposition. You pay for inbound and outbound traffic, regardless of the source, packet type, or quantity. DDoS attacks can not only prevent your server from being accessable, they could literally bankrupt you if you become a target and don't take preventative measures.

Hmm... One click bankruptcy. I wonder if anyone has tried to patent this yet...

Our ISP was technically capable of detecting and thwarting various attacks. Ultimately, the policy of monitoring and contacting an ISP when traffic exceeds a certain threshold seems like a workable solution for average co-locaters.

Given the architecture of the Internet, it's difficult to see how we could shift the burden to pay away from the server to the client. It seems like a problem remarkably similar to the problem of spam.

Pay and Pay (1)

I don't want to spen (638810) | more than 11 years ago | (#5453176)

So you have to pay for the downloads of bug fixes, or else you have to pay for not downloading the bug fixes ...

Interesting (1)

essdee (655531) | more than 11 years ago | (#5453177)

It's a pretty tough issue... seems like whoever initiated the malicious behavior should foot the bill, but in cases where that person can't be located then I guess the victims of the attacks just have to eat the cost. Seems like a good incentive for customers to keep servers patched and firewalled (though even that won't guard against all attacks), as well as provide assistance in tracking down the responsible persons.

That insurance idea is definately interesting. It would probably be a good idea for ISPs (or third-party comanies) to consider offering insurance plans for their services, in case of situations like those.

Bad idea anyway (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5453201)

'Burstable' billing, or any other scheme for charging based on total traffic trasmitted, is a bad idea anyway. It creates additional overhead (and therefore cost) on the providers end, and unnecesarry paranoia for a customer.

Billing a fixed monthly amount for a particular rate of transfer is a much better option.. Eg, $400/mo, for a 2Mbit link (if its via a media that can go faster, rate-limit it to 2Mbit). No extra resources used to measure utilization, no surprises in the bill.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?