Bad Behavior on the 'Net - Who Pays the Bandwidth Bill? 654
rakolam asks: "I am involved with network management in the hosting department of a fairly large ISP. Constantly we have customers who dispute inbound bandwidth spikes and demand service credits on their burstable connections. Events such as the Slammer Virus literally have everyone knocking on their salesperson's door at the end of the billing cycle. My position is that the internet is a public space, and by placing themselves in that space, one has to realize the consequences (and the implications of burstable billing). I'd like Slashdot's perspective on this. Should ISP's ultimately eat the costs of malicious behavior? Is the customer ultimately responsible for the bandwidth they've generated, regardless if it's desired or not? Is this a new frontier for insurance companies?"
analogous to water/electric company IMHO (Score:5, Insightful)
Users just won't pay (Score:5, Insightful)
The customer always pays (Score:4, Insightful)
It's not the ISPs responsibility (Score:4, Insightful)
It's up to the ISP (Score:1, Insightful)
That depends on what service he has with you (Score:2, Insightful)
Were the patches applied? (Score:1, Insightful)
- yes, in genral, they should be responsible for their bandwidth
- even with something as simple as MRTG they should be able to have an idea of whether or not the service provider is billing correctly on burstable stuff
- if they haven't applied patches, then i can't see how a consumer of bandwidth could have any argument at all
It's in the contract (Score:5, Insightful)
In other words (Score:5, Insightful)
-Peace
simple (Score:3, Insightful)
In fact, I'd prefer a pricing model that is fixed for inbound and metered on the outbound. It puts a financial burden on spammers, copyright violators and the tragic/stupid victims viruses. On the other hand, if you've got something to sell, you should be more than happy to pay for bandwidth used to move that merchandise.
Balanced response. (Score:5, Insightful)
Inform them that if they ignore those suggestions, and future problems end up costing them money, then they'll have to foot the bill.
This way, the customer walks away happy and informed, and if they're really willing to be a good net citizen, they won't come back crying.
If they're not willing to do what's required of them, they'll get stuck paying for it.
Re:analogous to water/electric company IMHO (Score:5, Insightful)
I lean towards the consumer not having to pay, considering they didn't request the traffic and are therefore not resonsible for it.
Re:analogous to water/electric company IMHO (Score:3, Insightful)
A virus or other Internet contaigon could come from somewhere waaaay outside your jurisdiction. If some server in China is constantly bombarding your incoming pipe with virus activity, bogus web requests, port scanning, etc. then you're stuck footing the bill.
With all of this said, I think ISPs should provide some sort of insurance to their burstable customers. You could get so much bandwidth per billing cycle but leave room for error in the event your customer can verify that they received "hacker traffic" or somesuch. Perhaps even build in clauses that say the end-user is required to notify the ISP of problematic access within a certain timeframe, that way they can take action further up the pipe to block said packets.
If a user, however, comes up at the end of the month and complains about lots of unwanted traffic, well, hire an admin to look after your connection and come see us next month.
Liability = Incentive to be vigillant (Score:2, Insightful)
It also would cause Individuals to generate greater pressure on Distributors to get patches out and visible to the general public. If the general public took more of an interest in internet security, there'd potentially be much fewer DDos Zombies out there.
There's nothing quite as eye-opening as a huge bill sitting on the table staring back at you.
And that's my 2 cents.
A Blend of the two? (Score:3, Insightful)
The real question becomes where do you set the line? But that could be determined by the average user usage, perhaps a study could be done over the course of a few months to see where people fall on this whole thing.
RonB
Re:Simple policy (Score:5, Insightful)
I don't know what the solution to the problem is exactly. As it stands now I pay for any bandwidth used regardless of how or why it was used. It would be much better if those charges could be passed along to the person responsible for abusing your bandwidth, but how that could be enforced is beyond me.
One thing I have to note here is that the person posing the question is talking about INBOUND spikes not outbound. So your points are even less relevant.
Re:analogous to water/electric company IMHO (Score:5, Insightful)
Do you then go ask for a credit from the utility because of the excessive/unexpected use?
Re:analogous to water/electric company IMHO (Score:3, Insightful)
The only way to really take care of this is to put a firewall in front of the box doing the metering. If the firewall rules are written properly, things like the MSSQL bug won't make it past the firewall.
Bad idea anyway (Score:1, Insightful)
Billing a fixed monthly amount for a particular rate of transfer is a much better option.. Eg, $400/mo, for a 2Mbit link (if its via a media that can go faster, rate-limit it to 2Mbit). No extra resources used to measure utilization, no surprises in the bill.
Re:It Depends (Score:3, Insightful)
If they're part of an ISP, they probably have already got FINGERD.
Bad business (Score:5, Insightful)
I liked the analogy someone else came up with, such as someone running an extension cord from your house to theirs. Who is responsible here?
If I had hosting with your company, and the slammer bug hit servers that your sys admins failed to update, then you better eat that burstable bandwidth bill or a lawsuit couldn't be far behind (depending on the amount, of course). If the servers were my responsibility, including keeping them updated, etc, then I could understand your reasoning.
If a DDoS attack cripples my site, and you expect me to pay for that, you're sorely mistaken.
The simple fact is if they caused it, they paid for it. This includes patches/fixes the customer should've implemented. If you run and maintain that server for them, then no bill increase should be applied.
If someone out in the world caused it, a random malicious event that they just so happened to be on the brunt end of, just throw away that burstable bandwidth bill and make sure your customer knows you did them a favor.
It may not be your place as to pay for that second scenario, but you'll keep your customers longer, keep them happier and keep word of mouth on your company going strong.
It's just good business. Were this my company, I would never even think of treating customers this way.
How badly do you want to keep the customer? (Score:3, Insightful)
You need to ask yourself- how much did the excess bandwidth really cost, and how much is this customer worth to me in the long run? Probably, keeping that customer will make far more impact on your company in the long term than if you charged them, pissed them off, and inspired them to switch to another ISP.
95th percentile model anyone? (Score:3, Insightful)
Our upstreams bill us this way, and all of our burstable downstream customers are billed this way. It works well that way.
Re:Charge on sent traffic. (Score:2, Insightful)
What?
Maybe you're just oversyplifying, but wouldn't this charge me only for outbound data (like HTTP GET requests) and not for the gigabytes of pr0n I download every day?
Hypothetical situation, I Assure you!
Re:The customer always pays (Score:4, Insightful)
But it's not true. If McDonalds loses $80 in a lawsuit to somebody burned with hot coffee, they *can't* just raise their prices to recoup; their prices were already set to maximize profit before. So what gives? Profit. McDonald's shareholders lose, not the public at large.
Bandwith insurance, like health care? (Score:4, Insightful)
In health care, you have a pool of people, really sick, regular, and extra healthy (hold the fries)
As long as there are not too many sick people, the cost can be spread over everyone in the pool.
But when there are too many sick people, it does not work, and someone is left to pay the bill.
But as rdewald draws a comparison to utlities, I agree that bandwidth should be more like a utility.
But frankly, it is at least an order of magnitude easier for someone to maliciously use your bandwitdh than use your water or electricity, or even your POTS line. You have to be physically present there. Obviously in cases of bandwidth theft or malicious consumption, that is not true.
Lastly, to go out on a limb, IMHO, personal computer and network technology is still not ready for home use. We would really like to think do, but it seams that we are still at the point where autos were in the hand crank era. You gotta be or be related to a mechanic to own one. They are still really complicated machines that we geeks love. Now that is improving in some areas, such as open source operating system integrity and useability, but worse in others as there are few end users who really understand security issues. Can we draw an analogy to health safety with health care/ health insurance? You tell me.
Well, thats my 2 bits.
Re:I say charge the customer (Score:3, Insightful)
If they're being charged for incoming bandwidth (especially incoming UDP bandwidth like the slammer worm) then shutting off their server will not help.
As long as the router continues to send those packets to that IP, they'll keep getting those packets. It doesn't matter if the packets just fall off the end of an unplugged cable -- incoming bandwidth is incoming bandwidth is incoming bandwidth.
If I sent a huge SYN attack to your home DSL connection, and your machine crashes, are you responsible for the bandwidth before your machine goes down? Are you responsible for the bandwidth after your machine has crashed, but before the ISP's realized you're not on the other end anymore?
To play the game, let's force ISPs to a few rules (Score:3, Insightful)
proof of malicious intent (Score:4, Insightful)
While
The day anybody becomes liable for linking to a page on the internet will be the end of the world wide web...that's the whole premise of the thing...
The only thing I can think of is something similar to the robots.txt file...have your webserver have a slashdot.txt file that says something like NoSlashdotLinkage = true in it or something, anything similar to the thing for preventing search engines.
Re:Balanced response. (Score:3, Insightful)
This is why... (Score:2, Insightful)
You pay for capped bandwidth, and your bill never changes.
Andy
Re: Simple policy (Score:4, Insightful)
Re:analogous to water/electric company IMHO (Score:1, Insightful)
Treat it like they treat Phreaking... (Score:3, Insightful)
The answer should equate to who should eat the cost of a DoS trojon.
Ironic... (Score:2, Insightful)
I feel this is an excellent time to discuss SLASHDOT'S moral obligations in linking. Certainly some shops can handle the amount of traffic that is sent their way by getting posted here, but in other cases the server gets hosed, the bandwidth bill goes through the roof, or worse! (remember the guy with the barcode entry system to his house?)
C'mon editors! At least make it so the front page links link to cached text copies sans images or something.
Re:analogous to water/electric company IMHO (Score:5, Insightful)
This would be like dealing with stolen credit cards. When a credit card is stolen the owner gets 24 hours to report it and is only liable for $50. If they wait up to 72 hours, they are only liable for $500. I'm not sure what happens after that. This system protects both the credit card company and the credit card user by insuring prompt reporting of stolen credit cards and fraudulent activity (and can hopefully catch the crook). This system has worked fairly well.
The implications for ISPs and their customers for a similar system would be pretty interesting. The customers who actively monitor their network traffic and help to head off problems would be rewarded by being less liable for damage, while ISPs would be free to give the full bill to those who ignore their bandwidth usage. This system should lead to lower costs for the better customers and discurage neglegance possibly leading to better service for all.
Security and responsibility. (Score:2, Insightful)
The security of my computer (and therefore, my bandwidth) is my responsibility. The physical security of my house is my responsibility. What about my car at the parking lot? Most places say they're not liable. So...I take the responsibility of making sure my doors are locked (and taking the risk of an actual glass-break-in) if I want to shop at [department store]. Being live on the internet isn't much different. You're still traversing among the public, only now the population is MUCH bigger. As soon as I stick my Cat5 in the wall, security IS my responsibility. I don't buy the stance of "it's Microsoft's fault my box is insecure, and there was no patch." We're all adults. You run what you choose on your equipment, and that's your decision. My ISP runs wide open, and they make it known that there isn't any filtering and firewalling going on. They like to deal with the computer savy customer and encourage the use of a non-windows machine for your firewall, and have free classes on how to set it up. If my WinNetOpenBeOSFreeBSDLinuxBox gets hacked and there's a patch or a config file that I neglected to update/change/whatever, isn't it my responsibility? I think so... You take your lumps, learn, and do better next time. The internet, like the circus, is a place where the smart get sifted from the ignorant, and usually the ignorant get parted with their money. Pay your nickel (ie. know your network), ride the ride...otherwise, you're in Soviet Russia....
Legal Liability (Score:3, Insightful)
In the case where the theft occured (mutually) from both a commercial and private victim, the commercial victim is generally assigned the majority of the loss because they are considered to have superior knowledge and been in a better position to have prevented the theft from taking place.
Since the theft was allowed by two enteties (the target Computer and the ISP servers that allowed the theft to take place), both entities would probably be apportioned a percentage of the cost.
Since this has never gone to court, there is no case material to set some form of guidelines.
My guess is that apportioning the entire blame to the customer (and billing them) would not hold up if the customer filed against you.
Depending on what measures your ISP has taken to prevent this type of abuse (filters, scanning, etc.) you could probably get away with some form of apportionment where the customer is billed for part of the cost.
Tom
Re:It's in the contract (Score:1, Insightful)
The ISP's business model is flawed because it relies on the fiction that the customer has reasonable control over his inbound bandwidth.
This flaw is why there is a dilemma. Either a pissed-off customer who takes his business elsewhere or the ISP grudgingly eats the cost. Remember, unless you have a monopoly, you can't abuse your customers.
The ISP has some options, though.
1) Set an agreed upon limit for legitimate traffic and shape it.
2) Deploy an IDS and reject queries from comprimised hosts
3) Sue owners of comprimised hosts to push the costs back to the generators of malicious requests.
Re:analogous to water/electric company IMHO (Score:5, Insightful)
We don't live in an (entirely) communist world. We don't get to pass out resources indiscriminately. We have a fixed amount of resources, and as with any case of supply and demand, the person holding the supply can (and should) charge for using the resource. In the case of network bandwidth, the resource is not obvious, but it is still tangible: It is network equipment and opportunity costs.
I get What i Pay for (Score:3, Insightful)
Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault.
If you decide to enforce a D/L cap, i myself will not be your customer....
If i was the average joe who opted to take on that bandwidth cost then i would blame YOU the ISP for allowing malicous data to be replicated at obvious expense.... as in if a port is responsible for great amounts of malicous (repetitive, near obvious redundant packet exchanges indicitive of an attack, worm, or virus).
The whole thing is, as an isp... the service you provide should be a fully enclosed package... no hidden/additional costs. And bandwidth capping should not incur automatic additonal costs to the consumer after a limit is reached, it should result in a great limiting of bandwidth (after a certain amount is reached) or in a blocked connection (allow only the company's IP until the customer buys more bandwidth).
My personal opinion, we are getting dicked by the tele-comunications industry from the top down... everything from home phones, cable, cell phones, broadband, T1's and more are greviously over-priced at a near basement cost to the mother companies. By the time a consumer recieves their data the fixed price of hardware and the cost of ELECTRICTY has been multiplied ten-fold. Mid-Range ISP's are being squeezed by the big players, and in turn are having to offer misleadingly high "bandwidth" speeds with BullShit Capping.
Downloading megabytes into your cell-phone doesnt cost sprint shit, but youll have to pay 1.00 per DL.
Of course the tel-co's are screaming bloody murder about their losses, but it isn't from data rates.
As a last note.... when we were all using 56kbps modems you could DL for days on end... you could call your local BBS and be charged a phone call while DLing full-speed for hours.... No extra cost... didn't cost them a thing since we payed for the phone-call.... Now that High-Speed is in the home.... and the tel-co's found they could save even more money by offering bandwidth speeds based on diluted averages of many users, they think it's fair to make more money by punishing those who ACTUALY USE THEIR bandwidth. Bandwidth which is only ELECTRICTY. Do you honestly think Time warner can offer 500 channels of digital cable, with "on demand" channels (where you can choose a movie and play it immedietly) for 60$ bucks a month and not provide that same (nearly continuous) data rate to internet connections?
luckily.... with the advent of online movies, music and application servers and such, soon even joe email will be needing a constant high-speed connection.
Just my two cents.... VISION
--Enter The Sig--
Re:analogous to water/electric company IMHO (Score:3, Insightful)
You can also use the analogy of junk faxes. Your machine is set up and the number is available for anyone to call, but people can be prohibited from using your resources by sending you junk faxes.
Though with out specific laws it probably comes down to contract and at that point it is probably buyer beware, whether you agree with it or not.
Re:Here's the problem Jerky... (Score:2, Insightful)
Second, I said DOS... and I said INCOMING. If someone pulls your subnets from ARIN and starts doing variable UDP DDOS attacks against oh.. I dunno say your DNS servers... what are you going to do? Shut down DNS? Block all UDP? I think not.
The point key point I'm making is that I can make you eat a packet. If it's UDP, I can spoof my source address, so good luck blocking it by IP. Give me you're IP's and I'll show you want I mean
I own a small networking company that subleases space out of Exodus locations. And I'm telling you, it's not feasible to ask the average CoLo customer to do 24hr bandwidth monitoring, and real-time assessment of threats / packetshaping. When "Joe 4U" is asleep for 8 hours and his box is getting 100Mbits per second in DDOS traffic. There's a problem.
The ISP has the resources and the expertise to solve the problem. It amounts to signing users up to an agreement that allows the ISP to "automatically" take action to prevent this type of unintentional bandwidth usage in the even that they can not contact the customer. Then you block it upstream and Joe 4U doesn't have to take you to court for his $10,000 bill.
-JE
Re:analogous to water/electric company IMHO (Score:3, Insightful)
For unexpected use, of course you can't demand a freebie, since it is understood that the fountain is for public use. However, suppose someone presses the button on the fountain and holds it for several hours without drinking anything. This seems like theft, to me.
Any service offered to the public has certain bounds within which it is expected to be used. People should have the authority to prevent others from abusing their services.
If someone is DOSing me, and I have no authority or technical capacity to stop their attack, then why should I pay for someone else's criminal behavior? If I immediately pull the plug on my network, call up the ISP to inform them, yet the packets still come cascading in... I have acted in good faith to do everything possible.
The current situation is like being able to watch the guy pressing the button on the fountain, and paying for the water, yet not being able to do anything to stop it. How can that be *my* fault?
Re:analogous to water/electric company IMHO (Score:3, Insightful)
Exacly. Not even a large account. If you shut me off for the rest of the month, I've got a problem. I need to have my site accessible. I just want to pick and choose which access (legitimate) I want to pay for.
Someone else said the ISP should firewall off the "bad" traffic. Does the ISP then complain to its upstream provider about that bandwidth? Someone has to either pass on the cost of that bandwidth or eat it.
Where do you draw the line? You could argue that your ISP has no business charging you for inbound UDP packets to SQL server port (1443 was it?) since you expect to only provide http on port 80. Next month there is another virus/worm that causes another spike, but this time by flooding the net with bogus TCP traffic on port 80. Now do you try to get your ISP to take that off your bill because it was from a virus/worm?
nat'l boundaries (Score:2, Insightful)
{
ISP B = new ISP(ISP_in_RUSSIA);
User Y = new User(I_don't_give_a_rip-Spammer);
Screw(A, X);
}
robi
Re:I get What i Pay for (Score:4, Insightful)
Good for low-useage servers with very short spikes of popularity.
You've just said that the ISP should eat the cost of the extra bandwidth...why? You agreed to burstable charges...they gave you more in advance, on condition you would pay for it with your next bill.
"Because YOUR (isp) system of delivering bandwidth is faulty or doesnt account for abuse potentials is NOT my (consumer) fault."
"If you decide to enforce a D/L cap, i myself will not be your customer...."
With that type of an attitude, you're saying you are entitled to unlimited bandwidth. The datacenter has an OC-48 into it...does that mean you're entitled to that? Not unless you paid for it...
The network has the capability to deliver high speeds, but if you didn't pay for that speed you're not entitled to it any more than someone who doesn't have the service at all is.
Solvable through bandwidth throttling (Score:3, Insightful)
Such a setup would allow for full utilitization of the network bandwidth and avoid all the hassle of pissing people off by sending them extra bills or suspending their account.
Burst and 95th Percentile (Score:1, Insightful)
For flooding attacks and mass vulnerabilities, there is no doubt in my mind that this is the responsibility of the service provider. In fact, if service providers would cooperate by implementing sound routing policy, most of the flooding attacks on the internet would be eliminated as a whole. Its simple: Do not forward a packet originating in your AS unless said packet is from your address space. The customer *already* pays for the ability to burst, hence 95th percentile billing.
As for other attacks, I think that compromised hosts on a customers network are the customers responsibility. Get owned, and pay the bill. Service providers have no business dictating customer security policy if the internet is to remain an open medium.
Re:analogous to water/electric company IMHO (Score:2, Insightful)
If the service provider was nice at all they would provide a log or usage stats via email to the customer stating they are coming close to max bandwidth or a warning that they've exceeded their bandwidth.
The problem, however, is that most of these people are on dial up connections or are unqualified/unable to set them up at home and is why they use web hosting services anyway. Some blame goes to the customer because they didn't search around for a provider that offers these services.
I have Cable Modem service and don't use it's email or web hosting services even though they are free. I have a web server in my basement and I use zoneedit for DNS service (free up to 5 IPs) and have another server co-located for email which doesn't charge for bandwidth.
So, either you should search for a non-bandwidth charging service (you'll probably pay more
I liken it to flood insurance. The last few years the Northern MidWest (MN/Dakotas) experienced a lot of flooding. The people living on a flood plane bitched because their house flooded. So they rebuilt it and it flooded again 2 years later, though "scientists" stated floods only happen every 25 - 50 years... What do you expect living in a flood plane?
In this specific situation the ISP should be a little lenient and waive most of the fee which can be written off as a loss anyway . At which point the ISP should provide a specific clause, increase everyone's rate or fix their server to provide better monitoring capabilites and/or automated disabling, etc...
Sh*t happens... What's more important? Losing a few dollars one month or losing a few customers for life???
Why are we paying 2 times on same packet? (Score:2, Insightful)
I know its a stupid question, but why not? Other then the fact that somewhere someone is saying "Shit, people finally woke up and realized they are paying twice for the same thing, there goes half our revenue." Why ARE we paying twice? Either pay for outgoing, or pay for incomming. If somewhere someone already paid to send that packet to the net, then the reciver should not have to pay for recieving that packet, or vice-versa.
The only real problem I can see with this is that you have clients and you have servers. With clients sending few packets to recive back several thousands (or millions). A new pricing model should really be setup for the whole system, but that will never happen unless everyone stops making money off the current system.
Real world not like posts on /. (Score:3, Insightful)
What many posts in this thread do not seem to take into account is the greater reality that is the web. With a completely patched server and firewalling that drops packets not desired to hit said server, incoming bandwidth is changed none-whatsoever. You have zero control over traffic until that traffic hits a device under your direct control. With most ISP's, that device can only be placed well past their traffic monitoring point. Ergo, you pay for bandwidth whether you want it or not.
You do have the ability to reduce the total amount of bandwith consumed by dropping unwanted return connections but that may be irrelevant if your site is subjected to a DDoS attack.
The largest problem lies in determining whether traffic is "legitimate" traffic BEFORE it passes through the ISP's network to the client. That said, there are a great many possible ways to accomplish this, such as:
The above are merely ideas or concepts, I will leave implementation to those that require the features. But it gives a good idea of the directions that an ISP can go to mitigate the costs of unwanted bandwidth. Just like Credit Card companies will call a customer to verify that they really do want to purchase that Tiffany diamond in a State they've never visited before, maybe ISP's should be monitoring traffic for irregular patterns and contacting customers to verify that the traffic is legitimate.
ISP's can't merely turn a blind eye when the entire netblock they serve starts sending or receiving traffic generated by the latest worm, virus, etc. They should do their best to mitigate their losses and losses of their customers.
I'm not saying that customers are without blame, just that the people running ISP's may have more technical knowledge that that of their customers and should be proactive in protecting those customers from further harm. If you want a real-world, non-technical example, think Firestone and Ford. A problem created outside of Ford that could have been eliminated before reaching the customer if only greater due dilligence had been used. By ignoring or overlooking the problem (I don't know the exact details) both Ford and its customers were negatively impacted. Was it Ford's fault that the tires were faulty? No. Could they have done something about the tires earlier? Possibly. Could the customer do something about the tires? Yes, but only after they knew of the problem by experiencing the negative consequences.
The scenario doesn't differ much when applied to unwanted bandwidth. If ISP's fail to do their part, unwitting customers will always suffer.
Make it work like credit card liability. (Score:3, Insightful)
Same thing for bandwidth. If the customer notices a problem and notifies the ISP so they can take steps to block / track the attack then they shouldn't have to pay. However, if they are too lazy to monitor their own gear, and/or call the ISP they deserve every dollar they get charged. The customer needs to be a partner with the ISP in fighting these sorts of things, otherwise the ISP never has a chance to catch the real criminals.
Of course, all this is for medium size and up ISP customers. Smaller businesses and/or individuals may just want a "turn it off if it goes above x" until I call model, which is completely reasonable.
How about I actually get the bandwidth I pay for? (Score:2, Insightful)
The "Mall" analogy (Score:2, Insightful)
It's a tough problem. You don't want your ISP playing God. Yet, you don't want to pay for unexpected bandwidth.
That's like saying you only want good bandwidth and none of the bad bandwidth. :)
Let's use a Mall analogy:
You build a shopping mall. There are roads leading into your mall. The city maintains the roads, but the parking lot and accessways into the malls and shops are maintained by you, the site owner.
If you get alot of paying customers coming and they jam up your parking lots and driveways and walkways with cars and people who are willing to pay, you don't say anything because you're getting money.
However, let's say you get alot of non-paying traffic. A large group of people decide to find a place to gather and organize and decide on your mall. They take up your parking spaces and take up the chairs in your food court or block walkways while they chat. No money being earned.
It's still traffic, but it is traffic you don't want. You still have to pay the electric bills and road maintenance. But you don't get compensated.
Who should foot the bill for your losses?
Seriously, the customer should monitor their systems and when they detect anomalies, should be able to work with their ISP to have the traffic in question blocked off. In the event of a DDOS/DOS, then they should seriously consider taking their system off the pipe.
ISPs should see this as a profit potential. I mean, offer your customers content based filtering. Let them setup their own filters and provide assistance service contracts.
In the end, the ISPs will make extra money, customers will feel more supported, and the network bandwidth will be better utilized.
As for the Mall, if there are people taking up space to the point of disturbing your business, it may be time to call in the police.
Customers and Providers really need to work together instead of pointing the finger.
Re:analogous to water/electric company IMHO (Score:3, Insightful)
What you are advocating is like claiming that you should pay the phone compnany for every time someone calls your phone, even if you don't answer it, even if you leave it off the hook, even if you leave it unplugged.
Re:analogous to water/electric company IMHO (Score:5, Insightful)
If you hold the customer responsible, then people angry with that person can just drive up that person's cost by choosing to flood him.
Re:analogous to water/electric company IMHO (Score:1, Insightful)
Do you then go ask for a credit from the utility because of the excessive/unexpected use?
It would be as if the customer of a phone company were charged for all incoming calls, and then were signed up to millions telemarketing lists. There is too much chance of colusion and conspiracy between the people who charge for bandwidth, and the people who steal it. It reminds me a lot of virus writing/virus software vending or security consulting and exploit development. It's a dangerous situation and I think it should be fixed now before people take for granted that this is the way it will always be.