200
submitted 8 months ago by King@lemy.lol to c/technology@lemmy.world
top 45 comments
sorted by: hot top controversial new old
[-] utubas@lemm.ee 149 points 8 months ago

"Netlify CEO here.

Our support team has reached out to the user from the thread to let them know they're not getting charged for this.

It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

Apologies that this didn't come through in the initial support reply."

This was posted 4 days ago in hackernews.

[-] mox@lemmy.sdf.org 60 points 8 months ago

I find it astonishing that Netlify had no safety mechanism in place to prevent this.

Saddling customers with unbounded liability is irresponsible; arguably negligent.

[-] Zikeji@programming.dev 46 points 8 months ago

Definitely negligent, I still remember the young adult who killed himself when he thought his Robinhood account was negative nearly 3 quarters of a million dollars.

[-] yuriy@lemmy.world 4 points 8 months ago

Oh jesus, THAT’S why there’s a million hoops to jump through before they even give you access to LOOK at options trading now. I always just figured someone lost a bunch of money and sued, that’s so grim.

[-] Aatube@kbin.social 1 points 8 months ago

“After looking into this, it seems you have a hit song on your site,” the email from Netlify customer support reads. “Maan Bou Jan Sang Lou by Teresa Tang. I was not aware of her, but she seems to be a popular Taiwanese singer. This song is 99% of your bandwidth usage over the past 30 days.”

The letter further explained that a lot of bandwidth was generated from user agents that “are quite ancient using Google Cloud addresses”.

“This would include devices such as circa 2010 iPads, Windows 98 & Windows 6 computers. So either you have a fanbase with a passion for older technology, or this was likely a DDoS attack. To me, this seems to be the latter,” the email continued and suggested hosting such files on third-party platforms, such as YouTube or SoundCloud.

After explaining the standard practice of reducing the bill to 20% after such attacks, which would be $20,900 in this case, the Netlify support team offered a better deal.

“I've currently reduced it to about 5%, which is $5,225. I know this is still a lot of money, and I apologize for the inconvenience. If you like, I can raise this internally to see what else can be done.”

The user wasn’t happy with that and decided not to pay but post their story on Reddit and Hacker News instead.

[-] Zagorath@aussie.zone 35 points 8 months ago

“Since the user opened a ticket with us this past Sunday, we’ve been actively researching this situation. Initially, we thought it might have resulted from a DDoS attack, which we stated in our first response. After some investigating, it looks as though the spike in traffic was not caused by a DDoS after all,” Dorian Kendal, CMO at Netlify, told Cybernews.

Instead, now they believe that this was a sustained download event of an mp3 file over a stretch of multiple days.

“We’re working directly with the user to better understand what’s happening on their end, so we can uncover what caused the dramatic increase in downloads,” Kendal said.

I'm confused, what is this supposed to mean? Some sort of non-distributed DOS attack? How would working with the customer help there? If they're susceptible to a denial of service, isn't that entirely an internal problem?

[-] iopq@lemmy.world 14 points 8 months ago
[-] Zagorath@aussie.zone 5 points 8 months ago

Fair point. DOS is perhaps the wrong word for it. But from that quote, it sounds like it's a similar behaviour to DOS tactics which involve finding ways to transform a relatively simple request into a large amount of work (or in this case, network traffic) for the server.

[-] echo64@lemmy.world 10 points 8 months ago

They are saying that it wasn't a ddos at all but organic use. The user was notified but did nothing. So they think their notifying stuff isn't good enough.

[-] Zagorath@aussie.zone 2 points 8 months ago* (last edited 8 months ago)

Sorry, but what exactly is a "sustained download event" supposed to be? It sounds like they're describing some sort of DOS-like attack that isn't a DDOS, where a user manages to force the server to serve up way more data over a sustained period of time than would be reasonable for downloading a single MP3 for normal use.

But maybe that's not what they mean. It's very unclear.

[-] Passerby6497@lemmy.world 9 points 8 months ago

Sorry, but what exactly is a "sustained download event" supposed to be?

I'm pretty sure they're describing something akin to what many small site owners have referred to as 'the hug of death'. If you're a small site that blows up on the front page of lemmy (or an actually large community site), you're going to experience sustained traffic that your site isn't capable of handling (be that at the computer resource or financial level in this case).

Normally the hug of death' just takes you offline when your provider can't handle the load or you blow past your providers thresholds. In this case, that threshold didn't appear to exist and it just kept adding to the bill.

[-] Zagorath@aussie.zone 5 points 8 months ago

Oh right. So they just mean the Slashdot Effect? A large and unexpected amount of organic traffic?

I think that "sustained download event" is a weird way of phrasing that, but thanks for the explanation.

[-] echo64@lemmy.world 3 points 8 months ago

They mean a lot of downloads were happening for a period of time.

[-] Aatube@kbin.social 2 points 8 months ago

Basically, it was a giant uptick in use that was likely made by human beings instead of a DDoS botnet, and they're still investigating where it came from

[-] ferralcat 9 points 8 months ago

I am too. Is the agreement to charge per mb downloaded? Do they not have some sort of "turn it off if I hit this max?* feature?

I usually avoid hosting solutions like this just because of this shit. I wanna know how much I'll owe before the month starts even. Anything else feels like gambling.

[-] Patches@sh.itjust.works 2 points 8 months ago* (last edited 8 months ago)

Of course they do but they can make 104k if they don't turn it on.

There are plenty of bandwidth restricted hosting sites out there. Sounds like that is what you want. Maximum speed regardless if that's used 24/7 or not. If more users request your site than that bandwidth allows - oh well.

[-] foggy@lemmy.world 29 points 8 months ago

Makes you wonder how many customers were wrongly charged some other less insane amount, and no one noticed because it wasn't jaw dropping.

[-] PoliticallyIncorrect@lemmy.world 19 points 8 months ago* (last edited 8 months ago)

The most expensive mp3 of his life..

[-] db2@lemmy.world 26 points 8 months ago

You wouldn't download a $104K hosting bill...

[-] PoliticallyIncorrect@lemmy.world 6 points 8 months ago* (last edited 8 months ago)

"Instead, now they believe that this was a sustained download event of an mp3 file over a stretch of multiple days."

Apparently the same mp3 downloaded/uploaded over and over again.

The most expensive mp3 of his life.

[-] IvanOverdrive@lemm.ee 11 points 8 months ago

I use Netlify to host my frontend projects and portfolio. Does anyone have a way to prevent something like this?

[-] scorpionix@feddit.de 45 points 8 months ago

Not use a hosting provider that charges by the amount of traffic?

This appears to be an extreme edge case but overall there is nothing preventing you from waking up to such a huge bill if your site turns into the most popular page on the internet over night.

[-] user224@lemmy.sdf.org -1 points 8 months ago* (last edited 8 months ago)

I didn't even think commercial host providers would do this.

The only service I knew about that had limit to transferred amount of data was grex.org, a non-commercial public unix shell. It had limit of 10MB/day for your web page, but it also didn't allow stuff like images.
However, that wasn't anything commercial. And I think before the shutdown it was just a single computer sitting in someone's basement.

[-] King@lemy.lol 34 points 8 months ago
[-] jkrtn@lemmy.ml 2 points 8 months ago

It's insane that a bill like this cannot be prevented.

[-] AtmaJnana@lemmy.world 2 points 8 months ago

Its not a bug, it's a feature.

[-] mouse@midwest.social 14 points 8 months ago

Not that it helps but the CEO claims they forgive for this type of attack/event. https://news.ycombinator.com/item?id=39521986

Netlify CEO here.

Our support team has reached out to the user from the thread to let them know they're not getting charged for this.

It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

Apologies that this didn't come through in the initial support reply.

And later they were asked if they would have responded if it didn't go viral. https://news.ycombinator.com/item?id=39522029

Question:

There are only two questions everyone have:

  1. Would Netlify forgive the bill if this didn't go viral?

  2. How do you plan to address this issue so that it never happens again?

Everyone here knew someone from Netlify would come and say OP wouldn't have to pay. That was a given. Now we want to know the important answers.

Answer by CEO:

  1. Yes. We've forgiven lots and lots of bills over the last 9 years and they haven't gone viral

  2. While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages

[-] cmnybo@discuss.tchncs.de 6 points 8 months ago

You can put the site behind cloudflare for DDOS protection. Unfortunately, it's not good for user privacy and it will make the site difficult to access over VPNs, proxies, and TOR.

Netlifiy is very expensive for bandwidth and the free bandwidth can be exceeded very quickly. I would look for something with a hard bandwidth cap. Then your site will just go offline if the bandwidth is exceeded.

[-] ipkpjersi@lemmy.ml 2 points 8 months ago

Unfortunately, it’s not good for user privacy and it will make the site difficult to access over VPNs, proxies, and TOR.

Difficult, but not impossible (unless the site owner also goes and futher implements additional measures like ASN blocking for known proxies/VPNs/etc), just solve a captcha and you should be on your way pretty much.

[-] superterran@discuss.online 4 points 8 months ago* (last edited 8 months ago)

You should take a look at GitHub Pages

[-] King@lemy.lol -1 points 8 months ago

I recommend hosting your projects on Cloudflare Pages, as it is a free service provider to the best of my knowledge.

[-] TechNerdWizard42@lemmy.world 4 points 8 months ago

I actually really respect their policy. Keep the site active and then forgive stupid bills if there was an error.

To shut down or disconnect a cloud service is terrible as usually it's in error. The errs on the side of the user knowing their stuff better than the hoster which is what I want in a provider.

[-] mosiacmango@lemm.ee 4 points 8 months ago* (last edited 8 months ago)

That "policy" was to reduce his bill from 104k to 5k initially. It was not "forgiven" until his story went viral.

So their actual policy was to send a user paying $0/month a bill for 5k for malicious behavior they didn't cause on the site. Thats not something to respect.

The CEO playing at "no no, we always forgive these" was not at all what he was told until after thousands if not hundreds of thousands of their potential customers saw how screwed he was by their non existent tools to rate limit bandwidth.

A 9yr old hosting company not having any programtic tools to limit biling is an intentional choice, not some oversight. It's clearly their buisness model to have people go over the free tier unintentionally, just not unintentionally enough to go viral.

[-] HHK@lemmy.world 3 points 8 months ago

Is it possible to avoid that hotliking of a file? in this case was a heavy mp3 file, but it easly could be a heavy image or a video.

[-] yuriy@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

The email he got from support suggested hosting the mp3 on a third party site like youtube or soundcloud, which is a good idea I reckon. Youtube would work for videos, and I guess imgur or imgbb for images?

Not ideal, but all free!

[-] Alto@kbin.social 1 points 8 months ago

Just because I know most won't actually click on the article

In a quirky response, the company’s customer support team reduced the bill to $5,225. And when the story started trending online, the CEO decided that the user wouldn’t be charged at all.

[-] Aatube@kbin.social 1 points 8 months ago

“After looking into this, it seems you have a hit song on your site,” the email from Netlify customer support reads. “Maan Bou Jan Sang Lou by Teresa Tang. I was not aware of her, but she seems to be a popular Taiwanese singer. This song is 99% of your bandwidth usage over the past 30 days.”

The letter further explained that a lot of bandwidth was generated from user agents that “are quite ancient using Google Cloud addresses”.

“This would include devices such as circa 2010 iPads, Windows 98 & Windows 6 computers. So either you have a fanbase with a passion for older technology, or this was likely a DDoS attack. To me, this seems to be the latter,” the email continued and suggested hosting such files on third-party platforms, such as YouTube or SoundCloud.

After explaining the standard practice of reducing the bill to 20% after such attacks, which would be $20,900 in this case, the Netlify support team offered a better deal.

“I've currently reduced it to about 5%, which is $5,225. I know this is still a lot of money, and I apologize for the inconvenience. If you like, I can raise this internally to see what else can be done.”

The user wasn’t happy with that and decided not to pay but post their story on Reddit and Hacker News instead.

One user on Hacker News with the alias ‘bobfunk’ introduced himself as the Netlify CEO and assured users that the bill would be forgiven. Cybernews was unable to verify the CEO’s identity independently. However, many previous posts from the same user and his bio support the claim of him being Matt Biilmann, the founder of Netlify.

In another twist, the DDoS attack version of the story is being ruled out

“Since the user opened a ticket with us this past Sunday, we’ve been actively researching this situation. Initially, we thought it might have resulted from a DDoS attack, which we stated in our first response. After some investigating, it looks as though the spike in traffic was not caused by a DDoS after all,” Dorian Kendal, CMO at Netlify, told Cybernews.

Instead, now they believe that this was a sustained download event of an mp3 file over a stretch of multiple days.

“We’re working directly with the user to better understand what’s happening on their end, so we can uncover what caused the dramatic increase in downloads,” Kendal said.

“We’ve confirmed that the user was notified multiple times about the additional bandwidth that was being consumed on their site, but given their lack of response to these notifications, we believe that we should revisit and improve the messaging and urgency that’s being communicated.”

[-] HarkMahlberg@kbin.social 2 points 8 months ago* (last edited 8 months ago)

I'm kind of impressed by the amount of research they did to figure out why this guy's bill was so high, then immediately offered a resolution, and then immediately offered another avenue if the resolution wasn't good enough. Shout out to the customer service rep.

this post was submitted on 02 Mar 2024
200 points (93.9% liked)

Technology

59648 readers
1516 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS