Limit bandwidth to avoid high billing caused by DDoS?

Hello, I’m always afraid on “pay for usage” services that it has no limits. In case of DDoS or some popularity peak bill can go into thousands which I’m not able to cover. We had this once in my previous company with one of popular cloud providers - not a cool experience.

Is there any limit or setting to put into my account not to cross? I was searching for it but did not found anything.

2 Likes

hi koprowski,

this post should answer your questions, i think! it’s specific to API requests/redirects, but, i think the answer still applies.

this might also be relevant:

Okay so I read it and my conclusion is - there is no safety net.

You can be charged with thousands of dollars if your site suddenly goes viral. Or attacked with DDoS.

That is quite worrying :confused:

Do I even get some automatic warning that my bandwidth (and costs) is growing rapidly?

Thanks for answering.

3 Likes

hi there,

those are good questions - as mentioned above, our services are designed to mitigate DDoS attacks - and while DDoS attacks to happen, they are generally not geared towards users on our starter tiers. (It’s probably obvious that for our Business customers with contracts, different kinds of rules apply) If you are concerned that you will be targeted by a massive, wide scale DDoS attack that bring down our servers or cause an undue amount of traffic, we would probably benefit from chatting with you about what kind of a site you are asking us to host for free if it is likely to attract that kind of attention. We have only had a very limited number of DDoS attacks on Netlify despite many hundreds of thousands of sites.

If a DDoS is not focusing on your site specifically, but Netlify in general but ends up affecting your site (attacking a wide range of IP addresses/domains we point towards) then we won’t assume you carry responsibility for that.

Now, if something you host goes viral - congrats! We’re assuming that is not necessarily a bad thing - right? Again, its worth asking whether or not you intend to host content that would draw so many visitors for legitimate reasons that it would affect our services of rack up bandwidth.

That can happen, of course, and below is a thread of an example:

So, in short, I want to answer by asking a.) is this a realistic thing that could happen to you? b.) you are super welcome to investigate options to mitigate the fallout from a DDoS attack or viral content on your own!

Our priority is to keep your site up - that’s what our business is about. If that isn’t an approach that works for you and changes your decision to host with us, I understand. I definitely can make note of your concerns,and follow up here if things should change - as in, and we opt to add hard limits that take your site offline after a traffic spike.

You do get emailed notifications about bandwidth use at different times as you go over usage levels, yes. I believe there are 4+ different points in time when we email you as you approach the limit.

Let me know if you have any other questions!

1 Like

Hi! I believe our website (https://drukarmy.org.ua/) was also under a DDoS attack, as can be seen by Cloudflare stats that we pulled out (the forum does not allow fresh forum accounts to attach it here, unfortunately).

We are sure this is not real traffic. I have to mention that we enabled rate limiting with Cloudflare on December 29, and since the new billing period started (Jan 20) we are below the limit, but already quite high (62/100 Gb). Is there anything we can do to avoid paying the high bills? The real traffic is way below the free quota and we would really like to stay with Netlify.

Hi there, thanks for reaching out! Once thing you could consider is utilizing an Edge Function to block traffic from unwanted user agents or countries. You can see some examples of Edge Functions here to get an idea of how to create one: https://edge-functions-examples.netlify.app/

I hope this helps!

Sorry, I appreciate this is an old post but I’ve just seen a Netlify customer on Reddit who is running a site that gets circa 200 users per day get hit by a DDoS attack. As a result the subsequent bill from Netlify is $100k+
He is using the free tier, so that may be a factor.

As a Pro Team Plan customer I’d like to understand if this is a danger for us? Having asked the AI Chatbot about this it states the following, which to me reads like this shouldn’t happen and that there are protections in place but I’d like clarification from the Netlify team as this situation is deeply worrying

Chatbot response:

Netlify provides comprehensive DDoS protection to ensure your site remains available and secure, even in the face of malicious attacks. Here’s an overview of how Netlify safeguards your site from Distributed Denial-of-Service (DDoS) attacks:
Proactive DDoS Monitoring
Netlify actively monitors for DDoS attacks. The platform’s global infrastructure and automated DDoS protection mechanisms are designed to keep your site up and running, regardless of the attack intensity.
Automatic Detection and Mitigation
Netlify’s system automatically detects DDoS attacks and takes immediate action to mitigate them. This includes rate limiting and blocking malicious clients from connecting to sites hosted on Netlify’s servers. The edge network plays a crucial role in preventing these malicious clients from impacting network performance. Key features include:

  • Global Load Balancing: Traffic is strategically routed among many servers. Netlify manages these servers to ensure capacity scales as needed.
  • Automatic DDoS Detection: The system identifies anomalous clients that pose a risk to your site’s availability.
  • Automatic Rate Limiting & Blocking: Attacks are mitigated by rate limiting and blocking identified malicious clients.

Customizable Traffic Control
For additional protection and control, you can configure your own traffic rules. This allows you to block traffic or only allow traffic from specific geographic locations or IP addresses, which can be particularly useful if you have insights into the origin of the attack. More information on configuring traffic rules can be found in the Firewall Traffic Rules documentation.
Monitoring Site Traffic
To keep an eye on your site’s traffic and potentially identify malicious patterns, you can use Log Drains. This feature enables you to monitor site traffic effectively.
Netlify’s approach to DDoS protection is designed to be both proactive and reactive, ensuring that your site remains secure and available even under attack. For more detailed information on Netlify’s DDoS protection and other security features, you can refer to the Security Overview documentation.

Yeah, I don’t get it why can’t we just have such an option in the site configuration.
How my site should react to such situations, should be up to the user.

I love the way that other providers does it, here bunny cdn for example. Things like that makes me as a user/customer be able to sleep at night without the stress.

2 Likes

Please add some bandwith limit for free tier accounts. I won’t pay you a dime if this spikes above the limit and I will take to court if necessary. I appreciate the free tier account very much, but if you suddely want to charge me hundreds of thousands for some spike, it’s not cool. I don’t have the money and I won’t pay. If you don’t plan on adding bandwith limit, please let me know and I will move my proyects elsewhere.

Thanks.

4 Likes

As people seem likely to keep streaming in from the Reddit/HN threads, I’ll cross reference the initial CEO response here too:

It doesn’t directly answer everyone’s questions/concerns, but it is related and may not have been seen.

Nice. You should definitely make a post on reddit as well.

@ManuC84 Perhaps, but I don’t work for Netlify and I don’t have a Reddit account :slight_smile:

Feel free to mention it there yourself.

To anyone coming from Reddit:

This is the CEO comment:

"Netlify CEO here.

Our support team has reached out to the user from the thread to let them know they’re not getting charged for this.

It’s currently our policy to not shut down free sites during traffic spikes that doesn’t match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.

Apologies that this didn’t come through in the initial support reply."

This is purely damage control. If this was in fact the case, and it was normal practice to forgive fines for being attacked, the support team wouldn’t have tried to still fine the reddit user, even after accessing they’ve most likely suffered a DDoS attack. The response from the support team was: “I see you’ve probably been attacked as these user agents are not usual. In that case, we usually lower these fees to 20%, but in your case I’m lowering it to 5%” which is still 5 thousand dollars. At no point in the support email is the user even remotely suggested that this could be forgiven. All it says, regarding other possible resolutions, is “it’s possible to raise this to internal affairs”. I am not blaming the support team, as I highly doubt they would just make up an arbitrary amount to fine the client without management knowing about this practice. (but also: an occurrence with a 100k fee and a 95k price reduction doesn’t immediately involve internal affairs? is that a small amount of money to you?)

So either the CEO comment is false, and it’s not company policy to forgive these fines when they are deemed an attack but rather lower the amount in an attempt to still receive some money from an obvious victim, or the support team is aware that normal practice is to forgive these fines, but for whatever reason chose to make up a scenario in which the actual usual practice is to lower the fine for being attacked. I highly doubt the veracity of the latter.

I will be closing my account. Consider the option to at least offer the user a choice when it comes to potentially mitigating the damages. Also consider not potentially flat out lying to your clients. When I saw the post on Reddit I realized I wasn’t aware of there not being a limit in DDoS attacks. After reading that the solution was “pay us 5 thousand and it’s okay”, I decided to delete my Netlify account as soon as possible. But your CEO comment, trying to throw their support team under the bus, that made me vow to never use Netlify again, and recommend everyone else does the same until I die.

This was the kind of events that kills companies. Do better.

3 Likes

I will be closing my account. Consider the option to at least offer the user a choice when it comes to potentially mitigating the damages. Also consider not potentially flat out lying to your clients. When I saw the post on Reddit I realized I wasn’t aware of there not being a limit in DDoS attacks.

Same here. I thought Netlify’s policy was “your site will be shut down if you go over the free tier quota”, not “we will start charging you if you go over the free tier quota.”

After 4y on Netlify without any problems I’m sad to leave, but I prefer to sleep well at night.

1 Like

Hello, all. We are aware of and deeply sorry for how this recent situation has impacted some of our users. As a company we are deeply committed to both making this right and ensuring that it never happens again. I’m linking our official stance below, but please don’t hesitate to email Support (support@netlify.com) if you want to discuss your account. We are here to help. Thank you.

1 Like