I mean if the traffic were unrealistically to increase so that bad traffic was 50% of all traffic we would all have to double our circuit and router capacity and you either pass that cost on directly (charge for extra usage) or indirectly (increase the $ per Mb) to the user.
I think you're right to say that if thats not acceptable to the user then usage based billing should be avoided for them but ultimately they will still incur the cost as you increase prices over time to foot the cost of increasing overheads.
Analogically, imagine if Burger King kept getting shipments of buns that they didn't want but still had to pay for. Their customers would get pretty pissed if BK added an 'unwanted bun' charge to their bill (absent specific prior agreement). I pay for the food I order, not the food BK's suppliers ship to BK. Of course, it's reasonable for BK to raise their prices for the costs of having to deal with the unwanted food. I sympathize with the customer. There is no reason he should pay for traffic he did not request and does not want. If unwanted traffic raises your cost of providing the service for which you are paid (providing wanted traffic) then you should raise your rates. In principle, one could certainly enter into an agreement where the customer agrees to bear the costs of unwanted traffic in exchange for a lower rate. But I certainly wouldn't assume the customer agreed to pay for traffic he doesn't want and didn't ask for unless the contract explicitly says so. And for those people entering into contracts, make sure the contract is clear about what happens with DoS attacks and where the billable traffic is measured. Otherwise you might be pretty surprised if you get a bill for 250Mbps of traffic when you contracted for a 45Mbps circuit. For those dealing with contracts already in place, if your provider argues that you are responsible for all attack traffic no matter what, ask them if that means you could possibly get billed for 1Gbps of traffic even though you only bought a T1. DS