North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Economics of flooding

  • From: John Kinsella
  • Date: Tue Apr 02 15:25:12 2002 
On Tue, Apr 02, 2002 at 01:51:54PM -0600, Basil Kruglov wrote:
> On Tue, Apr 02, 2002 at 10:06:58AM -0800, Livio Ricciulli wrote:
> > Is anyone aware of a process for claiming a deduction in charges when 
> > fees are associated with a flooding attack? 
> Of the top of my head, not UUnet, C&W, Sprint, Genuity, Exodus, Globix,
> Verio, to name a few, will go thus far to fix the billing issue, they have
> different chain of people working at each level/department, they might bend
> once but that's as far as it goes. 9 out of 10 times they'll ask you to
> commit to more transit or/and get a flat pipe.

In my past life at Globix, I was occasionally able to get the fees
reduced and a customer slapped on the hand.  What it comes down to as
Basil hinted is a finite resource is being used, and somebody needs to
play for it.

Livio asked for a process...while informal, this was usually ours:
 * Customer gets bill at end of month, sees huge number, screams bloody
   murder to sales rep.
 * Sales rep pulls up Concord NetHealth (or whatever it's called
   nowdays) and looks at traffic graph for last month.  More than likely
   sees huge spike somewhere durning the month, or if box was turned
   into a warez site, a dramatic change in average traffic flow.  Sales
   guy prints out page and wanders over to a tech to ask what the
   picture means.
 * Techie laughs, takes page and shows to fellow coworkers, who also
   laugh, then groan, recognizing there will be multiple phone
   calls/meetings with client and sales to explain, several time over,
   what probably happened and why we're not going to just wave the bill
   because it was an accident.
 * After a few months, client would usually get a credit, if they agreed
   to buy more services or something similar.

In the event of a clued client recognizing an attack, or something
significant enough happening that it had noticable effects on our gear,
it went something like this:
 * Either client calling our NOC, or one of us realizing that something
   just went *snap*
 * Issue getting escallated fairly quickly up to somebody senior
 * Customer either working with us to stop attack, or we down their port
   until they arrive at the DC to fix their server.

...usually in the second case, things are recognized quickly enough that
it falls into the 36 hr window of available bursting for the month.

John