Our support team has reached out to the user from the thread to let them know they're not getting charged for this.
It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
Apologies that this didn't come through in the initial support reply.
One additional feedback, for consideration: to me, your Pricing page[1] doesn’t make it sufficiently clear that the “Starter” plan may incur costs at all (let alone in this ballpark). It’s now more apparent when looking at it in hindsight, but you have to either read very carefully, or go to the separate “View Features” page to understand this.
“0$ to get started, then pay as you go” reads to me: “0$ to get started, and then you can order add-ons and extra features as you need them”, not “$0 to get started, but we may start charging you virtually unlimited amounts at any point without prior notice”.
When signing up for the “Starter” tier initially, I completely misunderstood this. I didn’t have to enter any credit card or invoice details, so I thought as long as you don’t have that info from me, you can’t and won’t bill anything.
How on earth could I, as a customer, be sure that netlify hadn't paid someone to DDOS me? If I were in charge of a business like that, I would have that thought constantly...
> 0$ to get started, then pay as you go” reads to me: “0$ to get started, and then you can order add-ons and extra features as you need them
I think I disagree with this, but maybe I'm misunderstanding you.
Pay as you go sounds strongly to me that you pay based on your actual usage, not that it's free except for add-ons. A pay as you go phone, for example, does not imply you need to buy a telephony add-on, an SMS add-on, etc.
PAYG phones, however, were always prepaid, so I think I would expect PAYG hosting to be similar. That said, if my site was publicly accessible without my prepayment, I think it would be clear that it works the way it apparently does.
It's potentially misleading, but I don't think it's intentionally dishonest.
1. Yes. We've forgiven lots and lots of bills over the last 9 years and they haven't gone viral
2. While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages
Thank God for social media that the user was able to get attention about this on Reddit which he was then advised there to post this on HN. It must have been stressful to see a six-figure bill and then get told that that, no worries, you’d ‘only’ be charged $5k instead for a static site. It’s just ridiculous to me to be sent a 6-figure bill in the first place.
You don't see VPS providers like Vultr forgiving bills like this, nor do they make the news. Granted they are not the same scope as Netlify, but still.
if only i had $1 for every time for every time someone asked this exact question on HN. yes, we all get it: easy question is askable and not answerable. you want a gold star?
I’ve been a netlify user since 2017 and I just deleted all my sites. I can’t risk receiving a $100k bill for toy projects. Your “current policy” is not good enough.
Same, as it stands you the user are legally liable for the full bill unless netlify graciously forgive it.
Even in op's case, they didn't (still charging 5k!).
If there was an option to cap billing, or at least some legally binding limit on liability, then I can countenance using netlify.
Until then, it's just not feasible nor worth the risk.
the fact that once it arrives to the limits does not display an error page.
At this point I honestly do not care about they changing their policy, they should have thought that a normal person receiving a 100000$ bill on a free tier shall not been at all on the table in any circumstance, even if they forgive the bill, nobody needs to stress out like that.
Same. I will (almost certainly) never incur a $104k bill, but switching to Cloudfare Pages looks free and I don't want to depend on unwritten policies of goodwill to mitigate the potential risk.
Same here. Will I ever get a level of traffic that would cause this problem? Extremely doubtful. Is it worth the risk when Cloudflare Pages is a similarly easy offering, and took 5 minutes to switch to? Hell no.
The only "fix" here is to act like Hetzner and null route upon DDoS, price cap the thing, or offer unlimited bandwidth on the free tier like e.g. Cloudflare Pages.
Uncapped but paid is a recipe for disaster and you'll always be subject to the will of the support staff when something happens. If they can grasp to a straw leading to suspicions that it's not in fact a DDoS attack, you can for example be sure they'll do just that. Just no.
Did exactly the same, moving everything over to Cloudflare took me less than 15 minutes. “We’ll forgive those cases, pinky swear” is not a valid excuse when putting (even opt-in) hard limits in place is technically viable.
"Current policy?" So, you will retain a right to change such fees when you feel like it.
This is a serious matter. We are building a new site for our company with Netlify, but we can't open ourselves to this predatory practice. And even if you do not mean to be predatory, even the option of such is enough.
If not resolved with a clean, legally binding promise, our company (and probably quite a few others) must move our business to Cloudflare, Amazon, or some other competitor of yours.
Why are you asking this question here? Any actual company would have reviewed all the legal documents prior to choosing a provider. The promises you seek are the exact reason "enterprise-grade" providers can (and do) charge so much.
« Apologies that this didn't come through in the initial support reply. »
"Didn't come through" doesn't actually match the user's report of having support explicitly offering 20% and then 5% payment. It sounds like maybe you have a training problem? That seems like one of the important points to speak to.
> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
That doesn't square with the 5% fee on the original $104k that your company told the OP to then pay.
> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
Well, giving the option to users to plan ahead would be best, no? Like a setting to choose whether they want a potentially unlimited bill versus downtime.
Instead of that, you are choosing to stress and make people scared/anxious/homeless even (if they don't think of raising the issue on HN).
Seriously, this is not rocket science. This must have been discussed before in your company, and someone actually made this decision to stress people about such bills.
Frankly the only reason I can even come up with that Netlify wouldn't have such controls in place is exactly if they do _not_ simply forgive these sorts of jumps in costs (as the CEO here seems to be claiming). I'm pretty sure if they'd be left holding the bag, they'd manage to find some way to cut off these kinds of jumps in usage.
> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
The legitimate mistake sounds to be on _your_ side if anything. You failed to match the attack pattern after all.
> Apologies that this didn't come through in the initial support reply.
The support email said you normally discount the attacks to 20%, but in this case it would be discounted to 5%. Are you here publicly claiming that your policy is to in fact to forgive (i.e. discount 100%) these bills? Was the support reply totally incorrect in claiming that you normally discount the attacks to 20% or are you lying when saying that your policy is to forgive the bills? You might want to clarify your position here.
To be fair, these days, things can become viral literally overnight.
That said, instead of depending on unreliable heuristics, they should just allow an option to change the behavior. The "current policy" to charge small sites on the free tier thousands of dollars instead of just throttling/shutting down the traffic is really predatory.
I understand that you need to pay bills, but auto-billing over the bandwidth budget just isn't OK, or at least not unless the user specifically configures that that's OK. I for sure didn't understand your bandwidth tiers that way.
You can avoid this sort of bad press and disgruntled users and your support cost by just giving users the option to shut down the site once the bandwidth budget is up.
Lol this deescalated pretty quickly, went from $104K to $20K to $5K to $0
Which basically means you almost scammed the customer for $5K or $20K. Super negative practices. I for one could never trust a company operating in that manner. It would be much more honest to say "unlimited bandwidth" and set a hard-limit for maximum budget, then people know they won't be charged, than to go through all this crap and then pretend you're doing a favor to the customer (you're not). If I'm normally spending $10/month any idiot out there would know for sure that I'm not going to spend $104K instantly. That's a very basic filter to have. But you don't place such filters because obviously you're working on the principle to scam people many thousands of $ if they fall for that. Heck, for all we know you might send that amount of traffic to your customer and the try to scam them and if it doesn't work then pretend you're doing them a favor.
Heck, at that point, why not "send some traffic" to your customer? It's not like they have any way of verifying its source. Hmm... why even send traffic at all? Just add a multiplier to their metrics!
This is very weird take. I'm struggling to understand why this is incident as a reflection of "super negative practices" or is somehow a "scam". The CEO came here and publicly apologized for the mistake and mis-communication, and the issue is resolved for the user with no charges. What am I missing?
You can't rely on such a policy if it is not part of the actual contract. This doesn't address the enormous uncertainty and risk that is present here when using Netlify.
This is what sticks out to me about the situation. I would much rather a site go offline due to service overage triggering at some limit that I set - simply relying on the good faith of a host to subjectively waive fees is not reliable nor does it instill confidence that I won't be financially ruined by malicious third parties (like nearly happened here). I would imagine that the good faith of Netlify in this case would mean very little to a court when there is a contract that stipulates costs for services, and the worst case scenario for a user is that Netlify could take the issue to court with the contract the user agreed to and demand full payment. Even the possibility for this situation to occur without any tools existing to prevent it is terrifying and is a terrible value proposition for a service.
By the time you forgive the bill you may have caused significant psychological distress, maybe even irreparable. This doesn't feel like a responsible approach.
This is the way most companies work unfortunately. Paypal limits your account and makes you wait 6 month to (maybe) give you a way to get the money back.
I’ve already migrated my two sites off Netlify after reading about this incident, and seeing other replies where folks said they were stuck with large bills.
This large bill doesn’t look like a legitimate mistake, it looks like everything worked as intended until things got escalated via Hacker News.
This leaves all your other small business users potentially on the hook and at the mercy of your mercy.
Not only should this stuff be capped rather than the dam allowed to flow, but your systems should have picked this up immediately and known it for its nature.
Thus must have been a nice little earner for you over the years.
> traffic spikes that doesn't match attack patterns
I interpret this as "we always charge for traffic served, but we attempt to block illegitimate traffic" which means of course that the worse their traffic discriminator performs, the more money they make!
I assume you'll be offering this user a good amount of credit on their account for having to deal with this BS and the stress of being told they owe you $100k?
So this one got attention due to some good Samaritan on Reddit who told OP to post here. Now, to the real question here: have others not received as good advice and just paid up?
I'm moving my domain name and personal site off Netlify (already deleted the sites, DNS transfer requested), probably moving to Cloudflare pages.
It may only move a few MB a month, but I just can't risk if I put anything more substantial there that I might get hit with a bill for $100k and you maybe will forgive it. And that this has apparently been policy for nearly a decade makes it even worse.
Sorry, but there is a lot more going on here than you addressed, these charges were incurred on your "starter tier", which has no mention of additional costs.. I've noticed a lot of "sponsored content" by netlify, and again no mention of this possibility.. Also, no comment on not having ddos protection, or at least a spend limit?
Sure, this instance was resolved, but it's also the top post of the last month. Who honestly things it would be the same outcome if not for going viral...
I’ve been a Netlify users on the Pro plan for a few years now. Moving from Netlify to CloudFlare after this; “this didn’t come through in the initial support reply” doesn’t cut it for a $100k bill.
But you do see how _not_ addressing this in the initial support reply is going to cost you all in the long term, right? The real lesson here seems to be for small projects, it may well be worth the investment to handle my own hosting. All I see here is that getting you to do the right thing required publicly shaming you, which means you can be trusted about as far as I can throw a piano.
I’d rather be shut down than have a heart attack from a $100k bill. That could literally kill me from stress, even if you pinky swear to refund any oopsies.
That is an outrageous and inhumane policy. People get panic attacks when they get told they owe 100k they don’t have. People will be terrified your internal process wrongly determines the bill is legitimate. Imagine you have to study for an important exam or that you have a paper due. How can you possibly focus with this nightmare at your doorstep?
The most bizarre thing is that this is a known issue that folks have asked them for ways to mitigate, to no avail. The reddit thread even links to an extremely weird dialogue where Netlify's response boils down to, "if you're hosting a small site that gets DDoS'd, don't."
https://www.netlify.com/security/ sez “Active DDoS mitigation — Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed” and now I'm curious about what that actually means.
It means they protect themselves from layer 3 and 4 DDoS. For layer 7 you're mostly on your own. That's what most companies mean when they talk about DDoS anyway.
Playing ”devil’s” advocate: tracking spend in real-time is not trivial. It adds complexity to stack. Bugs in the feature can cause sites to go down (for long time) without a reason. Larger online businesses likely rather sort out the problems later than risk shutting down in the middle of unexpected success.
true. I have a 9€/mo vps at Contabo for my blog and once boasted on HN that my small VPS is able to handle reddit/hn hugs which one user seemed to take personally and they started a DDOS against my VPS.
I only realized this after Contabo contacted me and said the traffic is so high that other clients service is also degraded and they will have to take my VPS down if its much longer (which was understandable). Gladly the ddos stopped soon.
But never was there any talk about any cost, they were very supportive
To some extent, that answer is fair enough, assuming they make this clear up front. If their service is "we'll keep your site up no matter what, for a price" that's a fine service to offer. It's not what the vast majority of people want, of course.
If their advertising is targeted to small businesses and individuals who could never afford this type of service, they could be guilty of false advertising, at least morally guilty. I haven't seen their marketing so I wouldn't want to say.
I don't fully understand Netlify, but it seems though it tries to be a one-stop solution for everything it doesn't have to be - you could put free Cloudflare in front of it and probably mitigate this kind of thing?
Especially since they admit it was a DDoS attack. What I find outrageous is first that they charge for incomming traffic (which is often free with other providers), but also 55$ per 100GB. For comparisson, Hetzner charges you 1€ per 1TB of outgoing traffic while incoming is free.
So even a reduction to 0.2% would habe been possible. Honestly don't understand why anyone feels comfortable overpaying so much. Especially when there is no configurable spending limit.
Eh, I wouldn’t say that’s necessarily the case. AWS support, for example, tends to be really good about waiving charges for things that are clearly your mistake, like an unused instance that you forgot to turn off for a couple months. That’s not because hosting instances doesn’t actually cost Amazon anything! It’s because they want to keep you as a customer even if it loses them a bit of money right now.
In the Netlify case, though, insisting that this person still pay 5% is downright insulting. I’m sure they’re taking a hit already - just waive the whole thing.
AWS support, for example, tends to be really good about waiving charges for things that are clearly your mistake, like an unused instance that you forgot to turn off for a couple months.
This is an admission that their UX sucks and makes it hard to know what state your account is in and what you're paying for. They waive the fees because a few high profile cases of people paying thousands due to the AWS console being awful would drive a lot of customers away.
That’s not because hosting instances doesn’t actually cost Amazon anything
Except it doesn't cost them anything. The marginal cost of keeping your single instance running is $0 (unless they were 100% out of capacity and they could have sold that instance to someone else either at full price or spot price)
>it shows how disconnected this is from their real bandwidth cost
It's a value added service, they don't trade bandwidth as a commodity. Therefore unfair characterisation.
Plus, if you dive deeper: Bandwidth doesn't cost anything because bandwidth is just about pulsing some light in some glass fiber and applying some minuscule voltage on some metal fiber.Okay, maybe it costs some amount of electricity but all this is just a business model for paying on capital expenditure through time share arrangements. People can have all kind of models for this, for example you can come together with others or pay it all by yourself to install the equipment and have free bandwidth for the lifetime of the equipment.
It's all just arrangements to cover the capital investment and earn something on top of it. That's not a scam. A scam would be if they didn't account correctly for the timeshare usage or induce usage to boost payments.
I really don't get your point. If you're a hosting provider, the very thing you're selling is bandwidth (and disk space). Everything else is a value added service.
This is true for all businesses but maybe more so for tech:
Don't have a business model that charges customers for your mistakes.
This customers bandwidth usage jumped from free tier to $100k in very short time. To be honest, this shouldn't even be possible. Any "free" tier that allows for a surprise $100k bill is not a free tier.
This bandwidth usage is the result of a mistake on Netlify's part. That much seems clear.
To go and suggest that the customer is responsible for any portion of the bill is where things really went sour imo. Don't do this. Ever. Unless you want your company to go viral for all the wrong reasons.
If you want another good example of how badly this can backfire, look at what happened when Unity announced their new pricing scheme. Unity's new pricing scheme also allowed for unbounded bills. At first they didn't even deny this. Later they said it was a customer misunderstanding. I.e., they blamed the customer for their mistake.
Thankfully, the CEO of Unity was fired.
The lessons are very straightforward:
1) Don't implement predatory pricing schemes (this can even be done unintentionally, but the intent doesn't matter).
2) If you do implement predatory pricing, the worst thing you can do is put on your surprised pikachu face when the customer asks why their bill is bigger than their annual income.
Since the author has gone viral I expect some netlify exec is going to take over and write this bill off to $0. In the words of Kramer “these big companies, they just write it off!”
A moment of silence for the people who got DDoS-ed, didn’t go viral and still had to pay $5k.
The very fact that you expect that making front page of hn will make them cancel that bill means that it will soon be over.
These kind of stories (alongside cancelled accounts) repeat over and over again and will soon become so not newsworthy that they will either not end up in front page, nor people will check on the eventual outcome which means these companies will get away with not moving a finger.
Nah. I think the dev community has long memory. Events like this is damaging for years. Whenever Netlify is mentioned, someone will inevitably point to this thread for a few years.
When I received a message from the bank saying my account was in the red I discovered that AWS had been billing me 1100 / month for 5 months before I even noticed. It was for something I'd set up one night while bored and then forgot about it. They drained my account :( Even had the nerve to say I had to pay for premium support only to get a "lol, pay" response.
If you bend over and pay in such circumstances, you are part of the problem. Twilio tried to pull this crap on me and I simply created another account with an email forwarder and left them holding the bag on the previous account
Here is my shiny new super business plan for a startup that will profit thousands from a supposedly non-paying customer:
1. Offer “free static website” with lots of templates and guides to help you build one
2. The first 100GB is free and beyond that it’s $0.01/MB. But no worries! Very few customers actually use up that free bandwidth and in case you need more you can purchase packages for $100/TB. Also we offer a free service that will help you get your site more visible by advertising it, it’s included by default.
3. After a month or so, randomly help a customer bump the website and make it popular by putting it in some list that is frequently crawled. Secretly hire someone else to crawl these websites and make lots of download requests
4. Once the customer suddenly gets 10TB of traffic, bill them for 9900GB which is $99000
5. As long as 1 out of 100 customers pay, you are profiting $990 per customer! For the rest of customers, offer a 5% discount so they only have to pay $1980. Threat taking them to collections if they refuse.
Become the next millionare by just selling free static websites to 1000 customers! Anyone join us?
There's no way in hell anyone should ever under any circumstance use a free service that might, for reasons entirely outside your control, suddenly bill you 5k, or 104k... or any non trivial amount really.
Yeah. Elsewhere in these comments there's a link to a support thread[0] where Netlify support essentially says you shouldn't ever need an option to suspend your site at a certain point because:
#1. If you think there's any chance of getting DDoSd, you should already be on a business plan instead of a starter tier.
#2. If you think there's any chance of your site going viral, you're going to want to pay the cost anyway to let all those people visit.
I agree that's ridiculous and that the lack of any option of capping costs would mean I'd never sign up for the service. But that's the official response, for what its worth.
Yeah Like wtf is wrong with that? Are people just to lazy to check what the conditions are when exceeding traffic? I'd never ever sign up for anything that just keeps charging...!?
I understand that some businesses might want to take the hit from a cost surge because they get an even higher revenue surge. But a large fraction of sites aren't like that and would prefer a loss of service to a cost overrun. Service providers should always offer a "maximum out-of-pocket cost" service option. Those that don't aren't suitable vendors for most customers and customers should be warned about them.
As I recall, you have to actively sign up for the paid plan (Blaze) to get pay-as-you-go billing. Otherwise, you get free quota, and if it's up, it's up.
I think it also integrates into all of Google Cloud's billing management stuff, but I've never had to bother with that.
Use a virtual card with just a small amount of money on it to limit your liability. Won't work if you've entered a contract, but for a lot of these providers, including AWS it works.
This "one crazy trick" does nothing to limit your true liability.
If you go to a restaurant someone at your table orders 5,000 plates of mozzarella sticks, the fact that your credit card only covers $5 doesn't mean you are magically absolved from the rest of the bill.
For $100k, a debt collection firm would be more than happy to get a judgement against you. Credit card or no.
I once got a $65,000 water bill from the city for one month. I laughed and called them and asked them to re-read the meter and correct it, and expected a quick resolution. But no, they insisted it was correct for some time and that I needed to pay it. They said I probably had a leaky faucet or running toilet.
There was no awareness on the part of the customer service people how ridiculous that was. It would be physically impossible for my service pipe to deliver that volume of water even if it had been running full open for the entire month. I kept escalating until I reached someone who agreed, and they sent someone out to re-read the meter. And my bill was reduced to about $35.00, the normal amount.
Front line customer support isn't always very in tune with what is sensible for a given customer's account.
Water is a regulated utility. Anyone in a similar situation can contact the government authority who will gleefully tell the company to go to hell and possibly implement fines for inappropriate billing.
I wish that was so straight forward. You can google this incident where an empty lot got a 35K water bill and the water company said it was an error, then backtracked on that and still saying 35K is due.
> Towards the end of 2023, the DWM seemingly corrected the issue. Revive received an email stating: “The prior balance on the account reflected water leakage that was the result of Department of Watershed actions. Once the leak was addressed and the account properly adjusted, the corrected balance for the property is $219.24.” However, DWM soon backtracked and claimed that the $219.24 quote was made in error and that the nearly $30,000 balance still applied.
Readit News
Our support team has reached out to the user from the thread to let them know they're not getting charged for this.
It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
Apologies that this didn't come through in the initial support reply.
“0$ to get started, then pay as you go” reads to me: “0$ to get started, and then you can order add-ons and extra features as you need them”, not “$0 to get started, but we may start charging you virtually unlimited amounts at any point without prior notice”.
When signing up for the “Starter” tier initially, I completely misunderstood this. I didn’t have to enter any credit card or invoice details, so I thought as long as you don’t have that info from me, you can’t and won’t bill anything.
[1]: https://www.netlify.com/pricing/
I think I disagree with this, but maybe I'm misunderstanding you.
Pay as you go sounds strongly to me that you pay based on your actual usage, not that it's free except for add-ons. A pay as you go phone, for example, does not imply you need to buy a telephony add-on, an SMS add-on, etc.
PAYG phones, however, were always prepaid, so I think I would expect PAYG hosting to be similar. That said, if my site was publicly accessible without my prepayment, I think it would be clear that it works the way it apparently does.
It's potentially misleading, but I don't think it's intentionally dishonest.
Dead Comment
1. Would Netlify forgive the bill if this didn't go viral?
2. How do you plan to address this issue so that it never happens again?
Everyone here knew someone from Netlify would come and say OP wouldn't have to pay. That was a given. Now we want to know the important answers.
2. While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages
To bobfunk, the response needs more empathy and explanation around the obvious frustration around why there is no slider for cost limitation.
As it is, it feels like the minimum viable corpspeak apology and damage control.
Deleted Comment
If there was an option to cap billing, or at least some legally binding limit on liability, then I can countenance using netlify.
Until then, it's just not feasible nor worth the risk.
the fact that once it arrives to the limits does not display an error page.
At this point I honestly do not care about they changing their policy, they should have thought that a normal person receiving a 100000$ bill on a free tier shall not been at all on the table in any circumstance, even if they forgive the bill, nobody needs to stress out like that.
The only "fix" here is to act like Hetzner and null route upon DDoS, price cap the thing, or offer unlimited bandwidth on the free tier like e.g. Cloudflare Pages.
Uncapped but paid is a recipe for disaster and you'll always be subject to the will of the support staff when something happens. If they can grasp to a straw leading to suspicions that it's not in fact a DDoS attack, you can for example be sure they'll do just that. Just no.
I did the same last night from my phone. My personal site and a project docs site are just going to not be online for a couple days. Easy choice.
This is a serious matter. We are building a new site for our company with Netlify, but we can't open ourselves to this predatory practice. And even if you do not mean to be predatory, even the option of such is enough.
If not resolved with a clean, legally binding promise, our company (and probably quite a few others) must move our business to Cloudflare, Amazon, or some other competitor of yours.
Is that unreasonable?
edit: hey guess what, Netlify offers an enterprise plan, I'd bet they will be happy to offer you a "clean, legally binding promise": https://www.netlify.com/pricing/?category=enterprise
"Didn't come through" doesn't actually match the user's report of having support explicitly offering 20% and then 5% payment. It sounds like maybe you have a training problem? That seems like one of the important points to speak to.
That doesn't square with the 5% fee on the original $104k that your company told the OP to then pay.
Well, giving the option to users to plan ahead would be best, no? Like a setting to choose whether they want a potentially unlimited bill versus downtime. Instead of that, you are choosing to stress and make people scared/anxious/homeless even (if they don't think of raising the issue on HN).
Seriously, this is not rocket science. This must have been discussed before in your company, and someone actually made this decision to stress people about such bills.
Deleted Comment
The legitimate mistake sounds to be on _your_ side if anything. You failed to match the attack pattern after all.
> Apologies that this didn't come through in the initial support reply.
The support email said you normally discount the attacks to 20%, but in this case it would be discounted to 5%. Are you here publicly claiming that your policy is to in fact to forgive (i.e. discount 100%) these bills? Was the support reply totally incorrect in claiming that you normally discount the attacks to 20% or are you lying when saying that your policy is to forgive the bills? You might want to clarify your position here.
This is a static site. To reach that sort of bandwidth out of nowhere you'd need to publish the blueprint for a teleportation machine
That said, instead of depending on unreliable heuristics, they should just allow an option to change the behavior. The "current policy" to charge small sites on the free tier thousands of dollars instead of just throttling/shutting down the traffic is really predatory.
You can avoid this sort of bad press and disgruntled users and your support cost by just giving users the option to shut down the site once the bandwidth budget is up.
Moving my sites off of netlify ASAP.
Deleted Comment
Do you forgive 100%, 95%, or 80% of the bill?
Is the 100% only available when a story about a bill goes viral?
This large bill doesn’t look like a legitimate mistake, it looks like everything worked as intended until things got escalated via Hacker News.
Not only should this stuff be capped rather than the dam allowed to flow, but your systems should have picked this up immediately and known it for its nature.
Thus must have been a nice little earner for you over the years.
I'm moving all my netlify sites elsewhere, bob.
I'm probably not the only one.
> "You've got room to grow!"
ohfuckohfuckohfuck
I interpret this as "we always charge for traffic served, but we attempt to block illegitimate traffic" which means of course that the worse their traffic discriminator performs, the more money they make!
One question though, what is Netlify gonna do to ensure this doesn't happen again?
I understand it's a hairy question, but the general consensus seems to be some policy must be changed or at least some line should be drawn.
Deleted Comment
Dead Comment
That's terrible for marketing.
Deleted Comment
It may only move a few MB a month, but I just can't risk if I put anything more substantial there that I might get hit with a bill for $100k and you maybe will forgive it. And that this has apparently been policy for nearly a decade makes it even worse.
Sure, this instance was resolved, but it's also the top post of the last month. Who honestly things it would be the same outcome if not for going viral...
I wont touch a fake free service if it requires a payment method. Want my money, give me a reason to pay you, dont trick me into paying you.
Temped to go fuzz your product and document other dark patterns...
Truly shameful.
Your support was going to charge him 5% as a "sign of good fate". How kind.
If it hadn't gotten traction, you absolutely would have charged him.
How many other people have you strong armed into paying ridiculous bills?
The fact that you have no usage limits is clear indication that this is intentionally left open to abuse.
Extremely shady and downright criminal.
Deleted Comment
https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-...
I don't understand why they won't just raise a 503 if the traffic exceeds the spend limit, or at the very least provide that as an option.
(But I also would like to see this feature)
Autoscaling is a feature!
I only realized this after Contabo contacted me and said the traffic is so high that other clients service is also degraded and they will have to take my VPS down if its much longer (which was understandable). Gladly the ddos stopped soon.
But never was there any talk about any cost, they were very supportive
If their advertising is targeted to small businesses and individuals who could never afford this type of service, they could be guilty of false advertising, at least morally guilty. I haven't seen their marketing so I wouldn't want to say.
I've dealt with Netlify's support [1], and one of their CS heads was incredibly rude to me and blamed me for the problem they created.
[1] https://news.ycombinator.com/item?id=35610956
https://docs.netlify.com/domains-https/custom-domains/config...
If they just reduce to 5% like that, it shows how disconnected this is from their real bandwidth cost. Really does feel like a scam.
So even a reduction to 0.2% would habe been possible. Honestly don't understand why anyone feels comfortable overpaying so much. Especially when there is no configurable spending limit.
In the Netlify case, though, insisting that this person still pay 5% is downright insulting. I’m sure they’re taking a hit already - just waive the whole thing.
This is an admission that their UX sucks and makes it hard to know what state your account is in and what you're paying for. They waive the fees because a few high profile cases of people paying thousands due to the AWS console being awful would drive a lot of customers away.
Except it doesn't cost them anything. The marginal cost of keeping your single instance running is $0 (unless they were 100% out of capacity and they could have sold that instance to someone else either at full price or spot price)
It's a value added service, they don't trade bandwidth as a commodity. Therefore unfair characterisation.
Plus, if you dive deeper: Bandwidth doesn't cost anything because bandwidth is just about pulsing some light in some glass fiber and applying some minuscule voltage on some metal fiber.Okay, maybe it costs some amount of electricity but all this is just a business model for paying on capital expenditure through time share arrangements. People can have all kind of models for this, for example you can come together with others or pay it all by yourself to install the equipment and have free bandwidth for the lifetime of the equipment.
It's all just arrangements to cover the capital investment and earn something on top of it. That's not a scam. A scam would be if they didn't account correctly for the timeshare usage or induce usage to boost payments.
I really don't get your point. If you're a hosting provider, the very thing you're selling is bandwidth (and disk space). Everything else is a value added service.
Don't have a business model that charges customers for your mistakes.
This customers bandwidth usage jumped from free tier to $100k in very short time. To be honest, this shouldn't even be possible. Any "free" tier that allows for a surprise $100k bill is not a free tier.
This bandwidth usage is the result of a mistake on Netlify's part. That much seems clear.
To go and suggest that the customer is responsible for any portion of the bill is where things really went sour imo. Don't do this. Ever. Unless you want your company to go viral for all the wrong reasons.
If you want another good example of how badly this can backfire, look at what happened when Unity announced their new pricing scheme. Unity's new pricing scheme also allowed for unbounded bills. At first they didn't even deny this. Later they said it was a customer misunderstanding. I.e., they blamed the customer for their mistake.
Thankfully, the CEO of Unity was fired.
The lessons are very straightforward:
1) Don't implement predatory pricing schemes (this can even be done unintentionally, but the intent doesn't matter).
2) If you do implement predatory pricing, the worst thing you can do is put on your surprised pikachu face when the customer asks why their bill is bigger than their annual income.
A moment of silence for the people who got DDoS-ed, didn’t go viral and still had to pay $5k.
These kind of stories (alongside cancelled accounts) repeat over and over again and will soon become so not newsworthy that they will either not end up in front page, nor people will check on the eventual outcome which means these companies will get away with not moving a finger.
When I received a message from the bank saying my account was in the red I discovered that AWS had been billing me 1100 / month for 5 months before I even noticed. It was for something I'd set up one night while bored and then forgot about it. They drained my account :( Even had the nerve to say I had to pay for premium support only to get a "lol, pay" response.
1. Offer “free static website” with lots of templates and guides to help you build one
2. The first 100GB is free and beyond that it’s $0.01/MB. But no worries! Very few customers actually use up that free bandwidth and in case you need more you can purchase packages for $100/TB. Also we offer a free service that will help you get your site more visible by advertising it, it’s included by default.
3. After a month or so, randomly help a customer bump the website and make it popular by putting it in some list that is frequently crawled. Secretly hire someone else to crawl these websites and make lots of download requests
4. Once the customer suddenly gets 10TB of traffic, bill them for 9900GB which is $99000
5. As long as 1 out of 100 customers pay, you are profiting $990 per customer! For the rest of customers, offer a 5% discount so they only have to pay $1980. Threat taking them to collections if they refuse.
Become the next millionare by just selling free static websites to 1000 customers! Anyone join us?
Deleted Comment
Just suspend service on excessive overages...
#1. If you think there's any chance of getting DDoSd, you should already be on a business plan instead of a starter tier.
#2. If you think there's any chance of your site going viral, you're going to want to pay the cost anyway to let all those people visit.
I agree that's ridiculous and that the lack of any option of capping costs would mean I'd never sign up for the service. But that's the official response, for what its worth.
[0] https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-...
As I recall, you have to actively sign up for the paid plan (Blaze) to get pay-as-you-go billing. Otherwise, you get free quota, and if it's up, it's up.
I think it also integrates into all of Google Cloud's billing management stuff, but I've never had to bother with that.
Like all of the big clouds with free tiers and nuke it from orbit level footguns lying about everywhere?
If you go to a restaurant someone at your table orders 5,000 plates of mozzarella sticks, the fact that your credit card only covers $5 doesn't mean you are magically absolved from the rest of the bill.
For $100k, a debt collection firm would be more than happy to get a judgement against you. Credit card or no.
There was no awareness on the part of the customer service people how ridiculous that was. It would be physically impossible for my service pipe to deliver that volume of water even if it had been running full open for the entire month. I kept escalating until I reached someone who agreed, and they sent someone out to re-read the meter. And my bill was reduced to about $35.00, the normal amount.
Front line customer support isn't always very in tune with what is sensible for a given customer's account.
Not always - but a lot of the times, especially for lower quality companies.
> Towards the end of 2023, the DWM seemingly corrected the issue. Revive received an email stating: “The prior balance on the account reflected water leakage that was the result of Department of Watershed actions. Once the leak was addressed and the account properly adjusted, the corrected balance for the property is $219.24.” However, DWM soon backtracked and claimed that the $219.24 quote was made in error and that the nearly $30,000 balance still applied.
https://lawblog.legalmatch.com/2024/02/26/empty-atlanta-lot-...