Home page logo

nanog logo nanog mailing list archives

RE: Measured Internet good v. "bad" traffic
From: "David Schwartz" <davids () webmaster com>
Date: Sun, 31 Aug 2003 17:25:14 -0700

        I realize that you rescinded this post, but I still think it's worth
responding to the arguments to show why they're wrong.

On Sun, Aug 31, 2003 at 03:44:00PM -0700, David Schwartz wrote:

If you don't want to, don't accept that traffic. It's just
like a store
stocking Christmas toys. If they don't sell, you're stuck with them. A
customer will only pay for what he wants, not what you think he
should want.

My car gets horrible mileage, therefore, I will only pay for the
amount of gas that SHOULD be used according to the factory sticker,
not the rest burned up by my fuel-inefficient driving methods.

        Suppose most people did get the posted gas mileage, but one or two people
suddenly got stuck with a bill for twenty times the usual amount. It would
be very reasonable for car companies to 'insure' people against being that
unlucky person because people do try to budget for fuel.

        Unlike DoS attacks, however, this hits everyone evenly anyway. It isn't a
large, unpredictable cost over which the customer has no control.

I just rented a truck. A construction detour forced me to put more
mileage on the truck than I intended, therefore, I will only pay for
the mileage that I would have accumulated had there been no detours
due to construction.

        Some rental companies actually do this. They bill you based upon the
expected mileage for a trip (usually subject to some limit to discourage
lying). If people really did fear this (if it was significant), they might
well seek insurance against such unexpected expenses and it would make sense
for the rental agencies to provide this insurance themselves.

        Another key difference is that there's nothing truck rental agencies can do
about construction. On the other hand, there are many things ISPs can do
about DoS attacks.

No, this is not a store stocking Christmas toys, or a Progressive(tm)
insurance commercial. This is bandwidth.

        Right, and it's a product just like any other product that can be sold by
widely differing business models. Make sure you and your customer (or you
and your ISP) have a common understanding. Any fixed rate contract has some
insurance aspects.

        All of these arguments reflect technical thinking rather than business
thinking. The business model that seems obvious to you is not the only
possible business model. What seems reasonable from one side of the table
seems reasonable from the other.

        Again, I present the factual counter-exemple. I have never had a problem
getting an ISP to agree not to bill for DoS attacks provided notification
was timely (and I have negotiated on others' behalf several times). Some did
insist on a reasonable per-incident fee ($400-$500), though oddly none have
ever actually charged for that fee.

        By the way, another thing I always negotiate for is the ability to opt-out
of any permanent filtering of apparently valid traffic. We, of course, allow
things like spoof prevention and emergency filters to deal with worms or
other problems.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]