Comment by WyvernDrexx
1 year ago
Imagine you lost your job. So you are here enjoying creating and hosting your hobby projects in theses services. Now, suddenly one fine morning you get slapped with $104K bill because someone decided to randomly ddos your one page dog lover website.
Now, who in the would would be thinking of having ddos protection for their hobby project? This is just absurd thinking.
No. This is absolutely common. I remember well how shared hosters 10 years ago already put caps on cheap packages and took the websites offline in case of traffic. And today it's Amazon who bills small players into dept.
There are many provider who don't tho.
I always loved nearlyfreespeech.com for this, (prepay, and if you run out of money the site goes down) but found it to be a pain for projects that really needed a VPS
Can't hosts just make a site unavailable once it reaches its plan's bandwidth limit, DDoS or not?
I think being offline is a lesser headache than a large bill, especially for those who are inclined to a free tier to begin with.
Folks regularly show up in HN comments during these discussions stating the opposite—that it's categorically better for all sites/projects, now matter how inconsequential, to stay online. It's weird.
This includes some of the TPTB, too. Occasionally, though, someone'll say the quiet part out loud. E.g. re fly.io:
> putting work into features specifically to minimize how much people spend seems like a good way to fail a company
<https://news.ycombinator.com/item?id=24699292>
This may seem weird, but I believe ToS ae the real problem here. I call it the "car rental" problem.
When I rent a car in person, I am often given a contract. And this contract is filled with tiny print, and pages of it.
There are often people behind you, waiting, and bored/annoyed people behind the counter, waiting. This is beyond unreasonable.
A point of sale contract should be short, in readable text, and understandable. For example, renting a car? Under a page, easily parseable, and if the person behind the counter cannot explain it, it is null and void.
From a legal side, you can do this. And you can explain legal terms. Of course this means you are describing intent, which limits one in court, oh boo hoo Mr Lawyer. Cry me a river.
Well the same should be true of any retail contract. Sign up for a service? One page with costs listed.
At least then, there is hope of an end-user sort of understanding. And as one could claim that a DoS was actually targetting the provider, and not the website, that should be described too.
So back to the topic at hand. I would write a demand letter, insistong Netify explain the charges, and ask them if they and their IP ranges were DoS, and if so that the charges be reversed.
Because you shpuld not be paying, if someone attacks Netify.
This letter should also be sent by mail, sig required, to the corporate address too.
> When I rent a car in person, I am often given a contract. And this contract is filled with tiny print, and pages of it.
As someone who reads the agreements I sign, one thing that has become prevalent is that they're so used to people not paying attention to what they're signing that they're sometimes not even giving you an accurate copy to review. For example, you read the thing and think, "Okay, I can work within these parameters," then you sign, and later get an email containing your "agreement", but it turns out what's in the email is a different set of terms with a bunch of stuff that wasn't in the terms you actually agreed to when you signed. Or someone hands you a pad with an "I agree to the terms" box checked beside the signature line, and when you ask to see the terms you're agreeing to, they're caught off guard (being totally unequipped to let you do that), which turns into being flummoxed with how to proceed, which turns into getting angry with you for asking.
Yup. And that's the part that needs to end. The angry part.
I have seen people understanding, but with a "oh, you're one of those people" looks on their face. That too is entirely uncouth. But people should start recording these interactions, not obtrusively as the purpose is not to intimidate, but instead just make a record of what transpires.
I think legislation that makes it completely legal and admissible in court, any recorded retail interaction, might be an interesting change.
Because if you are presented with a contract and "JUST SIGN THE DAMN THING!", or "It just means $x", or "People are waiting, just sign it!" and so on, that would likely go a long way indicate compulsion, or even (by describing intent) change the entire contract itself.
If this happens, it may be cheaper to just have sane contracts, and do non-dumb things, then try to train every employee that has public contact.
Every rental and service is so optimized against scammers and abusers that being a perfect legit customer ie. simply want to pay, use the resource, then return the item or terminate the service, you're walking along the edge of a cliff. Annexes, penalties, fees and charges, exclusions, "sign this one more form, everyone signs it". Housing rental is another extreme example, one is simply unable to just get a job in new location and rent something long term.
This applies even offline! Have you ever tried to get a hold of exact insurance policy wording before going through their entire sales process? Impossible, in my experience, whether it's long-term insurance, vehicle insurance, pet insurance, etc.
It shouldn't be like this, but it is.
Unfortunately, in today's world, DDoS protection is the equivalent of basic hygiene, foid and road safety. It's just a travesty that the hosting providers don't feel like it's their responsibility to address it.
I always run mine through Cloudflare, at least in part for this reason.