[ On , April 19, 2001 at 23:53:29 (-0700), Sean Donelan wrote: ]

Subject: Re: How to game the system (was Re: What does 95th %tile mean?)

True, there is some buffering in the Internet. And it does make it much more resilant to short term peaks. But as any DDOS attack shows, if you use near peak capacity for even a short term, other traffic is rudely shoved aside. Further, traffic does not return to its original levels for a considerable period of time after each peak capacity event.

That's partly true and partly not true. I have worked on lots of pipes that are flat-line pegged full for hours at a time (though none that are really fat, i.e. >10mbit/s). Everything works just fine. Even sensitive connections such as SSH don't get dropped. Connections ramp up normally (to as far as they can go) and don't stall for long periods of time. People might say "The Internet is slow", but they won't complain that it's broken. There are lots of Internet pipes running at capacity in the real world -- just maybe not so many in the USA. The difference with most DDoS attacks is that they have one or a very few "targets" (i.e. one host, or one subnet which equals one port on a router, etc.). Those types of DDoS attacks are damaging to everyone's perception of how a network is performing because they present a radically unbalanced flow, or small set of flows, against the normal traffic distribution. The result is that lots of little connections get pushed aside, and too many packets over all get dropped. Obviously the DDoS attacker doesn't really care if all his data gets through -- he's more than happy to have it mostly all end up in the bit bucket just so long as he's causing other flows to end up there too. In the real world a paying customer will be using TCP or some such protocol which will flow control itself if there's not enough available capacity to run at full speed (or heaven forbid if there's loss that can't be avoided by flow control). So, no matter how big my pipe, and how many or few TCP connections I try to push/pull through it, I cannot create a burst that will affect other customers in any long-term significant fashion, especially if all the other customers also have the same size pipe. So, it's not just the buffering, it's also the fact that routers are allowed to drop packets when they get really stuffed full of traffic, and the fact that most of the higher level protocols use windowed acknowledgments to create a flow control mechanism.

If you set up conditions just right, not only will you not receive "peak" payment from from the customer gaming the system, you receive lower payments from all your "average" customers too.

Who sets up what?!?!?!? Show me a real-world example of how somone can cause distruptive peaks of normal traffic and not get billed for them, and also not end up paying more than they would have paid if they'd simply played fairly. Alex Pilsov's example scenario is about the only way to "shape" your traffic against Nth percentile peak usage billing without affecting its availability or reliability or integrity but I seriously doubt the dollars can work in his favour and save him anything at all. Maybe the industry will eventually find that 95 is a bad number and it really has to be 96, or even 98. All I know is that if you're selling ethernet, or even high-speed SDSL, you cannot fairly bill at the 100'th percentile of peak bandwidth usage. Any user stupid enough to sign a deal based on 100'th percentile peak bandwidth usage (when buying a pipe much fatter than they require) is probably getting taken to the cleaners and obviously doesn't understand now data moves on the Internet. Someone who knows more about statistics than I do, and who has a statistically significant number of customers, can work out bulk throughput pricing that takes the peaks of "normal" usage into account along with the port speed (that seems to be what some of the bigger dial-up and DSL providers are doing). It's pretty hard to do informed comparison shopping with such deals against other models though and there's no way for a fair user to shape their traffic in ways that will benefit both the user and the ISP. However if you've only got one or two port speeds, eg. 100mbit full-duplex ethernet, and maybe not so many customers, then billing at Nth percentile peak bandwidth usage is probably going to work out better for all. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>