Home page logo

nanog logo nanog mailing list archives

RE: Measured Internet good v. "bad" traffic
From: "David Schwartz" <davids () webmaster com>
Date: Thu, 28 Aug 2003 02:45:25 -0700

On Wed, 27 Aug 2003, David Schwartz wrote:

    Analogically, imagine if Burger King kept getting shipments
of buns that
they didn't want but still had to pay for. Their customers
would get pretty
pissed if BK added an 'unwanted bun' charge to their bill
(absent specific
prior agreement). I pay for the food I order, not the food BK's
ship to BK. Of course, it's reasonable for BK to raise their
prices for the
costs of having to deal with the unwanted food.

No that wouldnt work, that was be an analogy to non-usage based
eg I buy a 10Mb
port from you and you dont charge me extra for unwanted bandwidth
across your

        The point is that 'usage' is supposed to be 'what you use', not what
somebody else uses. 'My' traffic is the traffic I want, not the traffic you
try to give me that I don't want.

    I sympathize with the customer. There is no reason he should pay for
traffic he did not request and does not want. If unwanted traffic raises
your cost of providing the service for which you are paid
(providing wanted
traffic) then you should raise your rates.

Thats the nature of the Internet which is what you're buying.. you get a
permanent supply of unwanted packets, attacks, spam, viruses etc.
If you want to
avoid it dont connect to the Internet.

        I don't want to avoid it, I just don't want to be charged for what I do not
want. If someone FedExed me a bomb postage due, there are many things FedEx
might do, but to try to get me to pay the postage is not one of them. There
are few things I can do to stop FedEx from delivering me a bomb and there
are many things FedEx can do to stop them from delivering one to me. In
general, the customer cannot fix the problem.

    In principle, one could certainly enter into an agreement where the
customer agrees to bear the costs of unwanted traffic in exchange for a
lower rate. But I certainly wouldn't assume the customer agreed
to pay for
traffic he doesn't want and didn't ask for unless the contract
says so.

Most contracts define traffic as the averaged rate across the
interface, they
dont look into what that traffic is and whether anyone requested
it. In this
sense the comparisons between internet traffic and toll phone
calls breaks down,
its also the basis for an argument on settlement free bilateral peering ;p

        Suppose, for example, my provider's network management scheme pings my end
of the link every once in a while to see if the link is up. Suppose further
this ping made a dent in my bill, so the provider decides to ping more
often, say five times a second with large packets to be *sure* the link is
reliable. Do you seriously think it's reasonable for me to pay for this

    And for those people entering into contracts, make sure the
contract is
clear about what happens with DoS attacks and where the
billable traffic is
measured. Otherwise you might be pretty surprised if you get a bill for
250Mbps of traffic when you contracted for a 45Mbps circuit.

Indeed, but most contracts are either 95 percentile or another kind of
smoothed average.. if however it specifies for example you are
charged on the
peak 5 minute average in the month you could be in trouble!

        There is no limit to how long a DoS attack can last. And your provider has
no incentive to trace/filter if he gets a major profit if he can just make
that attack last a few more hours.

        Even with 95 percentile billing, seven hours of 100Mbps can push your 95%
from 5Mbps up to 12Mbps very easily. Heck, stalling from 6PM when the attack
starts until 10AM the next morning could make them a bundle.

    For those dealing with contracts already in place, if your
provider argues
that you are responsible for all attack traffic no matter what,
ask them if
that means you could possibly get billed for 1Gbps of traffic
even though
you only bought a T1.

Presumably as the measurement is on the rate across the interface
this couldnt

        If the contract isn't explicit, it costs the provider just as much to drop
the traffic at the interface as it does to send it over the interface. So
the 'we have to pay for it' argument is not limited to the interface rate.

        By definition, anything two parties agree to with full knowledge is fair to
both of them. How DoS attacks are handled should be part of the negotiation
of any ISP/customer agreement. However, for many of the contracts I've seen
the contract was silent and ambiguous.

        For a 95 percentile agreement, it's reasonable for the customer to take
responsibility for DoS traffic until he makes a request to the provider's
NOC. It's also reasonable for the provider to charge a fixed 'incident fee'
for each attack that requires NOC and network resources. It is not
reasonable for the incentive structure to reward the NOC for doing nothing
and penalize them for any attempt to help.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]