On Wed, 27 Aug 2003, David Schwartz wrote:
Analogically, imagine if Burger King kept getting shipments of buns that they didn't want but still had to pay for. Their customers would get pretty pissed if BK added an 'unwanted bun' charge to their bill (absent specific prior agreement). I pay for the food I order, not the food BK's suppliers ship to BK. Of course, it's reasonable for BK to raise their prices for the costs of having to deal with the unwanted food.
No that wouldnt work, that was be an analogy to non-usage based eg I buy a 10Mb port from you and you dont charge me extra for unwanted bandwidth across your network..
The point is that 'usage' is supposed to be 'what you use', not what somebody else uses. 'My' traffic is the traffic I want, not the traffic you try to give me that I don't want.
I sympathize with the customer. There is no reason he should pay for traffic he did not request and does not want. If unwanted traffic raises your cost of providing the service for which you are paid (providing wanted traffic) then you should raise your rates.
Thats the nature of the Internet which is what you're buying.. you get a permanent supply of unwanted packets, attacks, spam, viruses etc. If you want to avoid it dont connect to the Internet.
I don't want to avoid it, I just don't want to be charged for what I do not want. If someone FedExed me a bomb postage due, there are many things FedEx might do, but to try to get me to pay the postage is not one of them. There are few things I can do to stop FedEx from delivering me a bomb and there are many things FedEx can do to stop them from delivering one to me. In general, the customer cannot fix the problem.
In principle, one could certainly enter into an agreement where the customer agrees to bear the costs of unwanted traffic in exchange for a lower rate. But I certainly wouldn't assume the customer agreed to pay for traffic he doesn't want and didn't ask for unless the contract explicitly says so.
Most contracts define traffic as the averaged rate across the interface, they dont look into what that traffic is and whether anyone requested it. In this sense the comparisons between internet traffic and toll phone calls breaks down, its also the basis for an argument on settlement free bilateral peering ;p
Suppose, for example, my provider's network management scheme pings my end of the link every once in a while to see if the link is up. Suppose further this ping made a dent in my bill, so the provider decides to ping more often, say five times a second with large packets to be *sure* the link is reliable. Do you seriously think it's reasonable for me to pay for this traffic?
And for those people entering into contracts, make sure the contract is clear about what happens with DoS attacks and where the billable traffic is measured. Otherwise you might be pretty surprised if you get a bill for 250Mbps of traffic when you contracted for a 45Mbps circuit.
Indeed, but most contracts are either 95 percentile or another kind of smoothed average.. if however it specifies for example you are charged on the peak 5 minute average in the month you could be in trouble!
There is no limit to how long a DoS attack can last. And your provider has no incentive to trace/filter if he gets a major profit if he can just make that attack last a few more hours. Even with 95 percentile billing, seven hours of 100Mbps can push your 95% from 5Mbps up to 12Mbps very easily. Heck, stalling from 6PM when the attack starts until 10AM the next morning could make them a bundle.
For those dealing with contracts already in place, if your provider argues that you are responsible for all attack traffic no matter what, ask them if that means you could possibly get billed for 1Gbps of traffic even though you only bought a T1.
Presumably as the measurement is on the rate across the interface this couldnt happen..
If the contract isn't explicit, it costs the provider just as much to drop the traffic at the interface as it does to send it over the interface. So the 'we have to pay for it' argument is not limited to the interface rate. By definition, anything two parties agree to with full knowledge is fair to both of them. How DoS attacks are handled should be part of the negotiation of any ISP/customer agreement. However, for many of the contracts I've seen the contract was silent and ambiguous. For a 95 percentile agreement, it's reasonable for the customer to take responsibility for DoS traffic until he makes a request to the provider's NOC. It's also reasonable for the provider to charge a fixed 'incident fee' for each attack that requires NOC and network resources. It is not reasonable for the incentive structure to reward the NOC for doing nothing and penalize them for any attempt to help. DS