Measured Internet good v. "bad" traffic

Have received complaints from usage-based-billing Internet customers lately
about not wanting to pay for the nuisance traffic caused by worm-of-the-day.
I believe that in the case of a short-duration, targeted attack that can be
eventually be stopped, a billing credit is probably appropriate. But what
about these current plagues that go on for weeks or forever- what is your
network's response?
Some simply want the traffic filtered in our routers- permanently. That is
my least favorite option. Others want to simply not be billed for "bad"
traffic. My reaction is to suggest that metered billing is probably not for
you, then. But I could of course sympathize if I were footing the bill.
What are other network operators doing about this issue, if it is an issue
for them at all?

Thanks

Well imho the simple way to look at this is that short bursts are generally
swallowed up by the network and the upstreams and not charging is fine however
for sustained traffic .. days or weeks or forever its different, if you didnt
charge any customer for the increased bandwidth and load then you have to foot
the cost of the network and equipment upgrades and that is surely wrong?

I mean if the traffic were unrealistically to increase so that bad traffic was
50% of all traffic we would all have to double our circuit and router capacity
and you either pass that cost on directly (charge for extra usage) or indirectly
(increase the $ per Mb) to the user.

I think you're right to say that if thats not acceptable to the user then usage
based billing should be avoided for them but ultimately they will still incur
the cost as you increase prices over time to foot the cost of increasing
overheads.

Steve

I mean if the traffic were unrealistically to increase so that
bad traffic was
50% of all traffic we would all have to double our circuit and
router capacity
and you either pass that cost on directly (charge for extra
usage) or indirectly
(increase the $ per Mb) to the user.

I think you're right to say that if thats not acceptable to the
user then usage
based billing should be avoided for them but ultimately they will
still incur
the cost as you increase prices over time to foot the cost of increasing
overheads.

  Analogically, imagine if Burger King kept getting shipments of buns that
they didn't want but still had to pay for. Their customers would get pretty
pissed if BK added an 'unwanted bun' charge to their bill (absent specific
prior agreement). I pay for the food I order, not the food BK's suppliers
ship to BK. Of course, it's reasonable for BK to raise their prices for the
costs of having to deal with the unwanted food.

  I sympathize with the customer. There is no reason he should pay for
traffic he did not request and does not want. If unwanted traffic raises
your cost of providing the service for which you are paid (providing wanted
traffic) then you should raise your rates.

  In principle, one could certainly enter into an agreement where the
customer agrees to bear the costs of unwanted traffic in exchange for a
lower rate. But I certainly wouldn't assume the customer agreed to pay for
traffic he doesn't want and didn't ask for unless the contract explicitly
says so.

  And for those people entering into contracts, make sure the contract is
clear about what happens with DoS attacks and where the billable traffic is
measured. Otherwise you might be pretty surprised if you get a bill for
250Mbps of traffic when you contracted for a 45Mbps circuit.

  For those dealing with contracts already in place, if your provider argues
that you are responsible for all attack traffic no matter what, ask them if
that means you could possibly get billed for 1Gbps of traffic even though
you only bought a T1.

  DS

> I mean if the traffic were unrealistically to increase so that
> bad traffic was
> 50% of all traffic we would all have to double our circuit and
> router capacity
> and you either pass that cost on directly (charge for extra
> usage) or indirectly
> (increase the $ per Mb) to the user.

> I think you're right to say that if thats not acceptable to the
> user then usage
> based billing should be avoided for them but ultimately they will
> still incur
> the cost as you increase prices over time to foot the cost of increasing
> overheads.

  Analogically, imagine if Burger King kept getting shipments of buns that
they didn't want but still had to pay for. Their customers would get pretty
pissed if BK added an 'unwanted bun' charge to their bill (absent specific
prior agreement). I pay for the food I order, not the food BK's suppliers
ship to BK. Of course, it's reasonable for BK to raise their prices for the
costs of having to deal with the unwanted food.

No that wouldnt work, that was be an analogy to non-usage based eg I buy a 10Mb
port from you and you dont charge me extra for unwanted bandwidth across your
network..

  I sympathize with the customer. There is no reason he should pay for
traffic he did not request and does not want. If unwanted traffic raises
your cost of providing the service for which you are paid (providing wanted
traffic) then you should raise your rates.

Thats the nature of the Internet which is what you're buying.. you get a
permanent supply of unwanted packets, attacks, spam, viruses etc. If you want to
avoid it dont connect to the Internet.

  In principle, one could certainly enter into an agreement where the
customer agrees to bear the costs of unwanted traffic in exchange for a
lower rate. But I certainly wouldn't assume the customer agreed to pay for
traffic he doesn't want and didn't ask for unless the contract explicitly
says so.

Most contracts define traffic as the averaged rate across the interface, they
dont look into what that traffic is and whether anyone requested it. In this
sense the comparisons between internet traffic and toll phone calls breaks down,
its also the basis for an argument on settlement free bilateral peering ;p

  And for those people entering into contracts, make sure the contract is
clear about what happens with DoS attacks and where the billable traffic is
measured. Otherwise you might be pretty surprised if you get a bill for
250Mbps of traffic when you contracted for a 45Mbps circuit.

Indeed, but most contracts are either 95 percentile or another kind of
smoothed average.. if however it specifies for example you are charged on the
peak 5 minute average in the month you could be in trouble!

  For those dealing with contracts already in place, if your provider argues
that you are responsible for all attack traffic no matter what, ask them if
that means you could possibly get billed for 1Gbps of traffic even though
you only bought a T1.

Presumably as the measurement is on the rate across the interface this couldnt
happen..

Steve

> Analogically, imagine if Burger King kept getting shipments
> of buns that
> they didn't want but still had to pay for. Their customers
> would get pretty
> pissed if BK added an 'unwanted bun' charge to their bill
> (absent specific
> prior agreement). I pay for the food I order, not the food BK's
> suppliers
> ship to BK. Of course, it's reasonable for BK to raise their
> prices for the
> costs of having to deal with the unwanted food.

No that wouldnt work, that was be an analogy to non-usage based
eg I buy a 10Mb
port from you and you dont charge me extra for unwanted bandwidth
across your
network..

  The point is that 'usage' is supposed to be 'what you use', not what
somebody else uses. 'My' traffic is the traffic I want, not the traffic you
try to give me that I don't want.

> I sympathize with the customer. There is no reason he should pay for
> traffic he did not request and does not want. If unwanted traffic raises
> your cost of providing the service for which you are paid
> (providing wanted
> traffic) then you should raise your rates.

Thats the nature of the Internet which is what you're buying.. you get a
permanent supply of unwanted packets, attacks, spam, viruses etc.
If you want to
avoid it dont connect to the Internet.

  I don't want to avoid it, I just don't want to be charged for what I do not
want. If someone FedExed me a bomb postage due, there are many things FedEx
might do, but to try to get me to pay the postage is not one of them. There
are few things I can do to stop FedEx from delivering me a bomb and there
are many things FedEx can do to stop them from delivering one to me. In
general, the customer cannot fix the problem.

> In principle, one could certainly enter into an agreement where the
> customer agrees to bear the costs of unwanted traffic in exchange for a
> lower rate. But I certainly wouldn't assume the customer agreed
> to pay for
> traffic he doesn't want and didn't ask for unless the contract
> explicitly
> says so.

Most contracts define traffic as the averaged rate across the
interface, they
dont look into what that traffic is and whether anyone requested
it. In this
sense the comparisons between internet traffic and toll phone
calls breaks down,
its also the basis for an argument on settlement free bilateral peering ;p

  Suppose, for example, my provider's network management scheme pings my end
of the link every once in a while to see if the link is up. Suppose further
this ping made a dent in my bill, so the provider decides to ping more
often, say five times a second with large packets to be *sure* the link is
reliable. Do you seriously think it's reasonable for me to pay for this
traffic?

> And for those people entering into contracts, make sure the
> contract is
> clear about what happens with DoS attacks and where the
> billable traffic is
> measured. Otherwise you might be pretty surprised if you get a bill for
> 250Mbps of traffic when you contracted for a 45Mbps circuit.

Indeed, but most contracts are either 95 percentile or another kind of
smoothed average.. if however it specifies for example you are
charged on the
peak 5 minute average in the month you could be in trouble!

  There is no limit to how long a DoS attack can last. And your provider has
no incentive to trace/filter if he gets a major profit if he can just make
that attack last a few more hours.

  Even with 95 percentile billing, seven hours of 100Mbps can push your 95%
from 5Mbps up to 12Mbps very easily. Heck, stalling from 6PM when the attack
starts until 10AM the next morning could make them a bundle.

> For those dealing with contracts already in place, if your
> provider argues
> that you are responsible for all attack traffic no matter what,
> ask them if
> that means you could possibly get billed for 1Gbps of traffic
> even though
> you only bought a T1.

Presumably as the measurement is on the rate across the interface
this couldnt
happen..

  If the contract isn't explicit, it costs the provider just as much to drop
the traffic at the interface as it does to send it over the interface. So
the 'we have to pay for it' argument is not limited to the interface rate.

  By definition, anything two parties agree to with full knowledge is fair to
both of them. How DoS attacks are handled should be part of the negotiation
of any ISP/customer agreement. However, for many of the contracts I've seen
the contract was silent and ambiguous.

  For a 95 percentile agreement, it's reasonable for the customer to take
responsibility for DoS traffic until he makes a request to the provider's
NOC. It's also reasonable for the provider to charge a fixed 'incident fee'
for each attack that requires NOC and network resources. It is not
reasonable for the incentive structure to reward the NOC for doing nothing
and penalize them for any attempt to help.

  DS

  The point is that 'usage' is supposed to be 'what you use', not what
somebody else uses. 'My' traffic is the traffic I want, not the traffic you
try to give me that I don't want.

Okay but in Internet terms the receiver usually pays for the traffic without
necessarily initiating it, this is different from everyday experience of
FedEx-ing a parcel or making a telephone call in which it is the sender who
picks up the charge. This isnt really a quesion its more a statement of fact..

  I don't want to avoid it, I just don't want to be charged for what I do not
want.

Which is a natural enough reaction but you dont necessarily get what you want
I cant see any ISP negotiating a transit contract which takes account of
unwanted traffic, apart from the fact that there is a real cost which has to be
borne somewhere (I previously suggested if they didnt charge you the Mbs they
would just increase the $$$s to compensate) its just too complicated from a
billing point of view to work this out.

  Suppose, for example, my provider's network management scheme pings my end
of the link every once in a while to see if the link is up. Suppose further
this ping made a dent in my bill, so the provider decides to ping more
often, say five times a second with large packets to be *sure* the link is
reliable. Do you seriously think it's reasonable for me to pay for this
traffic?

That would be deliberate on the providers part and I'm sure some lawyer would be
able to put up a case for fraud.. thats not what we're talking about tho. If it
was required legitimately that would be different but in which case you could
make appropriate direct or indirect deductions to your costs.

  There is no limit to how long a DoS attack can last. And your provider has
no incentive to trace/filter if he gets a major profit if he can just make
that attack last a few more hours.

Indeed, and I'd be annoyed if my provider deliberately allowed this to happen,
I'd probably shut down my connection to them and find some relevant contractual
clause before demanding credit or legal action. I cant imagine they'd last too
long doing this to everyone! That said however, my own experience of big
providers (no names but one of whose name has been praised quite a lot recently
on this list) is that their abuse team were completely useless.

  By definition, anything two parties agree to with full knowledge is fair to
both of them. How DoS attacks are handled should be part of the negotiation
of any ISP/customer agreement. However, for many of the contracts I've seen
the contract was silent and ambiguous.

True, but this is the nightmare legal world we're in, DoS attacks have tended
not to disrupt billing and we assume we wont be charged but you're right, these
days you have to explicitly mitigate for all possibilities..

  For a 95 percentile agreement, it's reasonable for the customer to take
responsibility for DoS traffic until he makes a request to the provider's
NOC. It's also reasonable for the provider to charge a fixed 'incident fee'
for each attack that requires NOC and network resources. It is not
reasonable for the incentive structure to reward the NOC for doing nothing
and penalize them for any attempt to help.

Sounds like the start for a whole new discussion topic..

Steve

I can have some sympathy for the customer in this case...But...

Do you consider the definition of 'bad traffic to include spam?

To me, this is really simple. (as usual, IANAL, BUT...) It is 'theft of services' on the part of:

  a) the person(s) who wrote and released the virus, and

  b) contributory negligence on the part of anyone who didn't patch their systems when they found out.

It would remain an open legal question if the ISP could be held negligent for not blocking the ports. Not ground I, as an ISP, would like to see explored either. Even though we did block all the appropriate ports.

As to billing credit, it is an interesting problem. An equivalent would be someone causes your power utilization to go up. You still have to pay the bill. If you can prove who is doing it, you might be able to re-coup some of the costs. This all comes, again, back to the matter of enforcment for the crimes. And LEO's being unwilling to do anything unless you can show a direct financial loss. Well, the financial loss is starting to show up. Complain to your upstream, and call the long arm of the law.

Bob

Raymond, Steven wrote: