I realize that you rescinded this post, but I still think it's worth responding to the arguments to show why they're wrong.
On Sun, Aug 31, 2003 at 03:44:00PM -0700, David Schwartz wrote:
If you don't want to, don't accept that traffic. It's just like a store stocking Christmas toys. If they don't sell, you're stuck with them. A customer will only pay for what he wants, not what you think he should want.
My car gets horrible mileage, therefore, I will only pay for the amount of gas that SHOULD be used according to the factory sticker, not the rest burned up by my fuel-inefficient driving methods.
Suppose most people did get the posted gas mileage, but one or two people suddenly got stuck with a bill for twenty times the usual amount. It would be very reasonable for car companies to 'insure' people against being that unlucky person because people do try to budget for fuel. Unlike DoS attacks, however, this hits everyone evenly anyway. It isn't a large, unpredictable cost over which the customer has no control.
I just rented a truck. A construction detour forced me to put more mileage on the truck than I intended, therefore, I will only pay for the mileage that I would have accumulated had there been no detours due to construction.
Some rental companies actually do this. They bill you based upon the expected mileage for a trip (usually subject to some limit to discourage lying). If people really did fear this (if it was significant), they might well seek insurance against such unexpected expenses and it would make sense for the rental agencies to provide this insurance themselves. Another key difference is that there's nothing truck rental agencies can do about construction. On the other hand, there are many things ISPs can do about DoS attacks.
No, this is not a store stocking Christmas toys, or a Progressive(tm) insurance commercial. This is bandwidth.
Right, and it's a product just like any other product that can be sold by widely differing business models. Make sure you and your customer (or you and your ISP) have a common understanding. Any fixed rate contract has some insurance aspects. All of these arguments reflect technical thinking rather than business thinking. The business model that seems obvious to you is not the only possible business model. What seems reasonable from one side of the table seems reasonable from the other. Again, I present the factual counter-exemple. I have never had a problem getting an ISP to agree not to bill for DoS attacks provided notification was timely (and I have negotiated on others' behalf several times). Some did insist on a reasonable per-incident fee ($400-$500), though oddly none have ever actually charged for that fee. By the way, another thing I always negotiate for is the ability to opt-out of any permanent filtering of apparently valid traffic. We, of course, allow things like spoof prevention and emergency filters to deal with worms or other problems. DS