Bad Behavior on the 'Net - Who Pays the Bandwidth Bill? 654
rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"
Re:Users just won't pay (Score:5, Informative)
The CC company doesn't eat that. The vendor does for accepting the stolen card
If you control, you are responsible (Score:2, Informative)
If you control shared servers and/or if you do not give users a configurable blocking mechanism (firewall, IP addr/range blocker, for web services a bogus URL block or the ability to ban individuals who spam sites) then you are, in fact, responsible for the bogus bandwidth usage.
Here's the problem Jerky... (Score:3, Informative)
You can have the most sophisticated firewall on the planet, but due the immutable laws of IPv4 you can NOT drop a packet until you see the packet. At which point you've already used the bandwidth (and incurred the cost) required to transport the packet that you're just going to drop.
This has nothing to do with patching your server. If you don't patch your server, and you get hit with a worm, and your box starts consuming huge amounts of bandwidth to attack other hosts, then it's your fault, and its OUTBOUND traffic, and you absolutely should pay for it. But having your server patched does not stop you from receiving inbound packets. They may not harm your server when they get to it, but you already paid for the transit.
BTW, This is why it's illegal for a telemarketer to call you on your cell phone. Because in theory you had to answer the call (and incur expense) BEFORE you knew who was on the other end.
This is a similar issue, except that we're not talking about telemarketers... which are businesses that more or less follow the rules. We're talking about script kiddies that don't care about the rules. Or in a worse case, we're talking about a competitor, or enemy, or rival that just wants to DOS you for a month until you go out of business because of all the excess bandwidth charges you're paying!
The technology limits the liability of the consumer. The ISP must take some responsibility here and put systems in place that protect the consumer.
-JE
Re:analogous to water/electric company IMHO (Score:2, Informative)
To answer the part of the question Yes, the customer should be responcable for *generated* packets, as well as *legitimate* inbound traffic. However, just like a creditcard, the customer should be protected from use outside the normal scope/intention, especially with malitious intent (ie recieving 1000 copies of the slapper worm per second, when you are running a patched SQL server).
Re:OT: What makes up bandwidth costs? (Score:2, Informative)
1) Total the bytes every 5 minutes (basically average usage in 5 minute groups).
2) Sort all the samples from highest to lowest for the month.
3) Throw away the top samples - usually contracts specify something like 5% or 10%.
4) Bill based on the highest remaining sample
It is quite logical - once you have installed the infrastructure to support the bandwidth it doesn't matter if you push one bit or a billion over that. In other words, the relevant cost is to support a large enough pipe (which is determined by peak usage) for the customer. Pushing 1megabit 24/7 takes the same pipe as pushing it for an hour a day.
Remember that the typical connection to a cage is 100Mb so you can really push bits for a few seconds as long as you don't get too many high 5-minute samples.
Commentary: I feel that the same logic should apply elsewhere - if I have a 384k DSL then I'm automatically capped to that bandwidth and should be allowed to use it for brief periods or constantly. Fortunately that's exactly how my local home ISP sees things as well - static IP for everyone, no restriction on # of computers, servers, etc.
Back to the original discussion: if the hosting company offers to the customer to set a rate limit then I think the customer loses otherwise there is some culpability on the part of the ISP.
In reality the current business climate will mean the ISP eats it if they want to keep their customers. The ISP is probably not out any money anyway since (see above) the cost is in the pipe, not the usage (unless, of course, they buy their bandwidth using similar contracts from an upstream provider).
Re:Here's the problem Jerky... (Score:3, Informative)
Of course this is for leased lines, not metered bandwidth in most cases, but the concept remains the same. We watch our own backyard, when something happens we react and get the problem resolved. If one of our cable modems is spamming or spewing slammer all over the Earth, we notice and shut off the offender. If we didn't care to look, we would get negatively impacted, just like the guy that doesn't notice his machine spewing out slammers, or nimda, or getting slashdotted.
Take an active role in your internet usage and you are largely immune to this sort of billing. You are responsible for your own stuff, if you aren't taking care of your stuff, I sure as hell shouldn't be expected to eat the cost.
It is YOUR FAULT if you get four hundred and eighty million hits. You put up the site. If you get slammer, you should have patched. Quit crying about your bill and administer your system.
Ounce of prevention, blah blah blah.
Re:analogous to water/electric company IMHO (Score:5, Informative)
The original question though is what should the ISP have done. IMO they should have firewalled access to the affected ports and then split the cost.
Re:Charge on sent traffic. (Score:3, Informative)
And you post this from hotmail? Are you just trying to supply a counterexample in the same breath?
When I worked at AOL, OC48 installations were a regular occurrence.
Re:analogous to water/electric company IMHO (Score:2, Informative)
Re:In other words (Score:1, Informative)
No. Back in July I did some benchmarking of ext3 vs Reiserfs and it got on Slashdot.
Although we got 2 million hits in 24 hours, it was NOT too much for webserver and our T1 line.
I was happy about the traffic as we received quite a bit of exposure.
Dax Kelson
Guru Labs
Re:Fairer - sent or solicited - a modest proposal: (Score:2, Informative)
What would you do? Bill anyway, since that's part of the risk of running a SMTP server? Maybe this user needs a smarter server that rejects spam at the time of connection. Hmm..
Re:analogous to water/electric company IMHO (Score:5, Informative)
Most colo providers I'm familiar with bill on 95th percentile bandwidth, which means that they drop the top 5% of samples (typically 5-minute average) and bill you for the bandwidth of the highest remaining sample. This means that you can absorb short-term heavy bandwidth spikes without being charged, up to about a day and a half worth of time per month.
In any case, the ISP should have no way of knowing WHAT traffic creates the bandwidth spike, unless I specifically request that they monitor my port. Of course, smart ISPs will exploit these incidents by offering firewalling services as a value-add, even if it's just stateless filtering at the router, as a way for customers to "insure against unexpected traffic spikes from virus/worm activity".
Of course, if I was paying for virtual web service, rather than a server colo and bandwidth fee, I should not be charged for non-web traffic, and I doubt any ISP would have the balls to do so.
Re:Simple policy (Score:2, Informative)
We do bandwidth monitoring for all our clients and provide 24/7 access to the reports so clients know exactly where they stand with regard to their usage.
As I've only read the comments down to this point I haven't seen anyone discuss how bandwidth utilization is actually calculated and billed.
For the most part the comments are in regard to ISP's providing consumer Internet access as opposed to collocation, or hosting which is a different beast.
When we sell a client a T1 they get the bandwidth that will go over a T1.
Collocated clients you have to monitor via switch/router interfaces, NetFlow, et. al. The resources it would take to discern 'real' traffic from 'invalid' traffic would make it not worth the effort of the provider.
As I mentioned we provide clients access to utilization graphs updated every 5 minutes. We explain to them what they mean and get them to understand their own usage. If we or a client detect unusual usage we research it. If it's an attack we attempt to shut it down, if it's legit it stays. That doesn't make the client not responsible for bandwidth directed to or originating from the equipment they chose to put on the Internet.
Re:analogous to water/electric company IMHO (Score:5, Informative)
Re:analogous to water/electric company IMHO (Score:3, Informative)
How it works here (Score:5, Informative)
A few notes about charging for bandwidth:
These are some of the steps we use to protect ourselves and our customers. Your milage may vary.
(We use packeteer for rate limiting, but I keep eyeballing OpenBSD/AltQ/PF for both rate limiting and firewalling for our customers).
Not vandalism, wireless spam (Score:3, Informative)
Compare this to someone constantly text-messaging spam to your wireless phone. You could quickly run up an insane bill that way, and there's really nothing you could do about it. The wireless company is contractually in its rights to charge you.
But it won't.
That's how they work. Someone screws with you, typically the provider eats it, especially if there was nothing you could do about it. That puts the incentive back onto the one entity who can actually do something about it: the providers. True for wireless. True for credit cards. True for just about anything where the end user can't do anything to stop the abuse.
The ISPs can do something about it. They have chosen not to because of how we (the geeks) developed the internet. It's too trusting. But at the end of the day, your ISP does know who you are, because they send you a bill. And they could apply uniform terms of service if they chose to, and only talk to other ISPs who have similar terms.
The RBLs are the future. They just don't go far enough. When they're willing to not just cut off SMTP but entire connectivity to other ISPs who aren't willing to play by uniform rules, then we'll start to see some changes. What kinds of rules? Here's some for starters:
The old-world networks (phones) have worked this way for years. I can block my out-bound caller-id. I can have an unlisted phone number. I can be very anonymous on the phone. But if I'm named in a law suit or criminal complaint, the phone company will hand me over in a heart beat. The only way around this is pay phones with cash. It's hard to run a large-scale scam that way.
And no, this doesn't mean that an ISP's logs are free game to the RIAA. But it does mean that if the RIAA wants to name a specific "unknown party" in a lawsuit, the ISP is obligated to identify them. Before you get excited, that's exactly the current situation. The RIAA just wants to get the info without actually suing you (which is wrong, and luckily some ISPs have resisted). ISPs need to be willing to say they will only interconnect with other ISPs who play by the same rules.
Yes, this will fragment the internet for a short period of time. So do the RBLs. But economics will fix it fast enough, especially if entire connectivity is cut off.
Re: maximum exposure (Score:1, Informative)
It is very hard to even make a buck now a days running a ISP, for years allot of smaller ISP's got by, and made themselves (their business) look better than it was. Providing people with unlimited bandwidth for 50$ a month is hard to do when you figure out all the costs.
Allot of times they didn't have the actual bandwidth they said they did, just to bring in a profit etc...
Most these companies where hoping they would get bought out in the dot com craze and did. The bigger telecoms bought up the smaller guys knowing there would be a loss but also where thirsty for what might the biggest thing in their future, and not wanting to be left out of a good thing.
Now a days things have changed a little, allot of the smaller ISPs gone, and you might still be able to get a cheap line, but more and more people and businesses have learned that you get what you pay for and don't mind paying a little bit more to know that the company wont fold tomorrow leaving them stuck with allot of problems that they would have had from a bigger more respected company that has to play the publicity game more often.
I think bandwidth is still pretty expensive right now, the charges on an OC3 connection are not cheap and most ISPs pay by the bandwidth used.
Plus you got the problem mentioned here.
I do not believe this problem is about Web services, that may be a problem for some, but I think that I parked server that uses up allot of bandwidth for their website should just pay up.
For allot of the reasons already mentioned from others.
But the problems really happen when a Virus or a Bug leads to unreasonable bandwidth usage.
Code Red hurt allot, but after the first couple hours we had filters in place that blocked most the negative traffic from the Virus at the core routers.
Also the recent SQL bug was blocked pretty fast so that people didn't accrue a huge bill. So we are learning fast how to help our customers and ourselves not get into these problems, But there have been some times when a person has hacked a server and loaded a FTP with games and porn whatever and caused them to have a bill in the tens of thousands of dollars and the customer didn't have a clue any of that was coming.
I think we will learn to avoid allot of this, even though it may still be the customers responsibility to configure the server, The ISPs are learning that to keep customers and not get into these problems the have to do more monitoring and check the network more for anything unusual like this. A simple script that runs every night that checks for anonymous FTP PUTS can save everyone allot grief.
Allot of ISPs are just starting to turn a buck again getting spending down to something reasonable that is more inline with their income.
And keeping allot of the more talented people that can really help in these situations will be key to better service. These lines will get cheaper as the money initially invested gets
Re:Don't understand bandwith charge (Score:3, Informative)
You have your T1. So do 3000 other people. The ISP has calculated that on average, only 15% of your T1, alone with everyone else's, is used in any given month.
That T1 has to connect to something, don't it? It's not a point to point connection to every single site you go to. Your T1 will drop into a DS3, ATM, POS connection. The ISP has calculated what they need to run in the back end, and what they need at the various peering points with other providers.
Let's say the ISP only has 3000 T1 customers. That's a total available bandwidth of 4632 Mb/s for all T1s combined. But since on average only 30% of that is used, that falls to 694. They play it safe and decide that on the backbone they triple that amount (which is not the case. Usually it's less than double). That's still only 2084 Mb/s (or 13 DS3s). Your price for a T1 has been calculated using these numbers. Suddenly everyone uses their T1 at full capacity 24/7. The ISP has to put in more pipes to accomadate this. This means their bill to the backbone have skyrocketed. Since your original price was based on 15% utilisation, and now it's 100% utilisation all the time, what do you think will happen? Your bill will go up significantly. The ISP is in business to make money. If it has to put in another 16 DS3s that will run at 100%, they've more than doubled their operating costs. Why should they take a loss? They are totally justified in raising their prices.
This is how the real world operates.
ISPs aren't 'the internet' (Score:3, Informative)
ISPs don't have infinite bandwidth.
I know, its quite a strange idea. But think of this.
If you're a ISP in a single location, chances are you're buying a few (hundred?) megabits off your upstreams. Unless your upstreams are happy to filter traffic they send to you (and unless its a very large DDoS, most of them will take a while to implement any access control), the ISP will still be charged for traffic sent to a customer even if the customer chooses to reject it.
Similarly, if the ISP provides filtering support for their customers, they still receieve the traffic and bite the usage.
Now, if you're a large ISP and have links to other peering exchanges. Even, say, you peer enough to not really need transit. These inter-state links still cost money. And they're fixed. So if a customer is hit with a DDoS they'll still be carrying it _somewhere_.
Even if this mythical tier-${LOWNUM} ISP with lots of fat peering links has some magical scripts to filter out DDoS traffic to a given customer range, it still will hit their border routers. So their peering cross connects have already been filled. The only way around this is to deal with their peers..
But they don't really have the incentive to spend all their time dealing with smaller networks being attacked. They'd be worried with keeping their network from melting under a few larger ones.
The flipside. If you're an ISP with enough bandwidth (and not high-profile sites like irc servers or pr0n) you might be willing to bite the costs of various attacks as part of a marketing point. Customers may come to you because you have a reputation of being lenient under attacks. Perhaps. But thats a delicate line.
Me, I dig flatrate pipes. Usage based pipes is just asking to be owned by excess traffic. If I buy a megabit then all I really have to worry about is service degradation due to DoS. ISPs, in my experience, will help you with that. But if you're on a usage based pipe which then gets owned by a DDoS you're struggling after the fact to get a rebate. Good luck.
(Although, that said, perhaps you guys should consider asking for usage based pipes that _have_ a bandwidth cap. Figure out what your maximum spend amount is, say 5mbit, and then ask for a usage-based pipe based on that. That way you limit your liability _AND_ getting the cheaper transit. Most of the time.)
Problem is... (Score:3, Informative)
Ideally you'd be able to roll over bandwidth for exactly one month as in subtracting the previous month's rollover at the end of the month. Your bandwith would be continously throttled to the rate at which you'd expend all of your bandwdth at the end of the month. Without rollover, the ISPs would have a huge sawtooth pattern in monthly load and one of the sides of the teeth being nearly vertical. The rollover is more for the benefit ofthe ISPs than anything, so is upstream port blocking, allowing ISPs to blockunwanted traffic at its boarders.
Re: maximum exposure (Score:3, Informative)
A telephone company would build a system for anticipated peak service and would add some room for expansion. As a result, the telephone company would build an expensive system with excess capacity.
Although costs were fixed, telecom companies would bill customers for time used. To do this, they would set a rate for normal usage that would be high enough to cover the costs of the peak usage network.
I imagine that the Internet is somewhat the same way. Internet companies build for peak usage and set a rate for normal usage that will cover the cost of the peak usage network.
The thing that happens in a DOS attack is that the DOS attack pushes the services used from the normal level to peak usage levels for a prolonged period.
Since most of the network's costs are fixed, the DOS attack really doesn't cost the network that much more. A DOS attack doesn't spontaneously generate more routers and fiber optic connections.
The end effect of the attack is that it screws up billing. Remember the normal usage rates are set high enough to cover the cost of peak capacity. The DOS attack creates a situation where the end user is suddenly being charged the rate calculated for normal usage at the volume of peak usage.
Now, I realize the Internet has an extremely layers of service provides. Many ISPs are just a middlemen paying metered rates. The ISP is caught in the same trap of screwed up billing. The cost of the ISP providers didn't go up during the attack.
The big bills for both the ISP and end user are the result of flaws in the billing and metering processes and not actual higher network costs. The challenge is to keep the charges from the DOS attack from screwing up the billing systems.
BTW, I do not mean to imply in this thread that DOS attacks are cost free. Just that the bandwidth consumed during the attack is really not costing the network that much more. The machines, cables and wires have more stuff going through them. The DOS attacks cost the the support people in the ISP time, and have a cost in lost opportunity, they also create billing nightmares. The DOS attack does not actually cost the real dollar amounts that suddenly appear on bills.