Serverless to Homeless - Case study

00:00

so net lii sent a user a bill of

00:03

$100,000 for a simple static website

00:06

let's take a look at what this is what

00:08

went wrong and how you if you're using a

00:11

provider like worel or nettia or

00:12

something like that you can prevent this

00:14

Behavior or you can prevent this cost so

00:17

$100,000 is of course not a small amount

00:20

of course if you're hosting something

00:21

you know you're expecting if it is

00:23

static you're expecting it to be pretty

00:25

much zero cost at most at you know you

00:28

are probably on a pro plan on what sale

00:30

or even netlify which cost like $20 a

00:32

month but all of these plans even the

00:35

Pro Plan comes with an uninterrupted

00:37

tier right so what happens is that if

00:38

you are using the things within that

00:41

tier it'll just be included in your plan

00:44

but if you overshoot let's say for

00:46

serverless compute or bandwidth or image

00:48

optimization or anything like that then

00:50

they will just charge you based on you

00:52

know their rates so a similar incident

00:54

incident happened at nlii where somebody

00:57

received a $100,000 bill and uh it's to

01:00

say the very least it's a bit strange so

01:02

let's take a look at what happened so I

01:04

received an email from netlify last

01:06

weekend saying that I have

01:07

104,000 almost in USD in Bill overdue at

01:11

first I thought this is a joke or some

01:12

scam but after checking my dashboard it

01:14

seems like I'm truly owning them that

01:16

amount so I was like and think okay

01:18

maybe I got dos since netlify charges

01:20

$55 for 100 GB for the exceeding

01:23

bandwidth the peak day of February 16th

01:26

had this much amount which is like you

01:28

know 60 terabytes of bandwith in a

01:29

single day see so that's that's the

01:31

thing that is the thing that two things

01:34

wrong here the first one is that you

01:36

know this cost is outrageous if you take

01:38

a look at actual cost for bandwidth it

01:41

is not as expensive as $55 for 100 GB

01:44

right now why worel and why netlify and

01:47

why you know all these SAS providers

01:50

sell the bandwidth extremely expensive

01:52

worel is cheaper than this worel sells

01:54

it for 40 USD which I'm assuming like

01:56

they are reducing now I have heard some

01:59

things that Al is in talks with a lot of

02:01

people to reduce this number but let's

02:03

see what it is but netlify charges

02:06

$55 for 100 GB of bandwidth this cost is

02:12

insane right so if you take a look at

02:14

herzner for example see so with herzner

02:17

20 terab of traffic is already included

02:20

and extra traffic is € per month per TV

02:23

right so you can see that the markup

02:26

here is 55 times more 55 times is you

02:30

know its orders of magnitude more than

02:33

what a cloud provider like herzner is

02:35

costing you and even AWS doesn't charge

02:37

this month right AWS also has huge

02:39

charges and but it doesn't charge that

02:41

plus if you look at providers like Cloud

02:43

flare Cloud flare has basically zero

02:46

cost for this so Cloud flare basically

02:48

doesn't charge you anything at all if

02:49

you are transferring data out of

02:51

Internet with their CDN service or you

02:53

know with R2 I think as well which is

02:55

their S3 alternative so this number in

02:58

itself is bad but the second second

03:00

thing is that there is no automatic dos

03:02

protection which is which I agree like

03:05

implementing a Dos protection is by its

03:07

very definition extremely hard because

03:09

dos means that it's distributed denial

03:12

of service attack that means that all

03:14

across the world the computers are

03:16

pinging your IP address and your website

03:18

address and it's extremely hard to

03:20

determine that this particular visit is

03:22

a bot visit or is some malicious visit

03:25

and that particular visit is a legit

03:26

visit so what happens generally in cases

03:29

of Dos is that you anyway have to like

03:31

you know put a capture on every single

03:32

page of the website for every single

03:34

user at least for that time being so if

03:36

you go to Cloud flare and these

03:38

providers A lot of these providers

03:39

actually what they do is they offer you

03:41

a you know an emergency dos mode so when

03:43

you toggle that on everyone gets a

03:45

challenge page on top of there you know

03:47

whenever somebody's visiting your

03:48

website they'll see a challenge page

03:50

from that provider which itself absorbs

03:52

all the DS attack and then just lets

03:54

legitimate users pass through because

03:56

they have to solve a capture or

03:58

something like that so see this is what

03:59

what happened like it was dsed on a

04:02

single file which is you know a sound

04:05

file and it got a lot of terabytes in

04:08

data transfer and what they told what

04:10

netlify told is that told them that

04:13

after looking into this further it seems

04:15

like a lot of bandwith usage came from

04:16

some user agents that are quite ancient

04:18

and uses Google Cloud addresses this

04:20

would include devices such as this this

04:22

this so either you have a fan base with

04:24

a passion for older technology or this

04:26

was likely a Dos attack I mean somebody

04:28

who's getting 16 4 terab I'm assuming

04:31

that they don't have a fan base of that

04:33

particular audio clip as aggressive as

04:35

that so so this seems like a this seems

04:37

like a weird message weird email to

04:39

write to someone who is already stressed

04:42

about you know paying a $100,000 bill

04:44

but okay going forward I would recommend

04:46

hosting music on a thirdparty music

04:48

platform such as YouTube band camp or

04:50

SoundCloud and reduce your bandwidth

04:52

usage no matter how popular your site

04:54

becomes so see this is where I really

04:56

disagree with the with how netlify has

04:58

responded in this email because if I'm

05:00

hosting a website it is my website and I

05:03

need those static assets whether that's

05:05

an image whether that's a sound file

05:07

whether that's a vasm binary I need that

05:09

on the edge Network which you are

05:11

providing right that that was the whole

05:13

proposition that we will deliver files

05:15

very fast to you sure I can host my

05:17

files on S3 but the only reason I would

05:19

do that is to save money save cost not

05:22

from a point of view that somebody just

05:23

downloads my file 10 times and you know

05:26

I'll be just bankrupt I will be homeless

05:28

so I think this is slightly bad take

05:31

from netlify where it's it's putting the

05:33

blame on the user itself and especially

05:36

in the case where Theos attack happened

05:38

right so it's not like they're

05:39

complaining out of thin air that you

05:41

know something like that happened it's

05:43

especially bad it puts a bad image that

05:45

you can't rust netlify you know the next

05:47

time you're probably hosting an image

05:49

which is like 1 MB 2 MB you know you're

05:51

not running any Optimizer or let even go

05:53

of that let's just assume you know

05:55

you're hosting something like a Monaco

05:56

editor or a VSS code sort of instance

05:58

which we also do on on code Dam so if I

06:00

show you for example this instance over

06:03

here which let's say if you boot up this

06:05

playground so you're going to see that a

06:07

vs code like editor opens up now this

06:10

syntax highlighting which you see this

06:12

syntax highlighting can you see that

06:13

these keywords are of different colors

06:16

just like how it works in VSS code you

06:18

know how that is possible that is

06:19

possible through a vasam bilary called

06:21

onm so o GM if you Google this this

06:25

onm binary it's a web assembly Port of

06:29

something that is required for this

06:32

tokenization and colorful syntax which

06:34

you see so basically this vam binary or

06:37

this package is required for VSS code to

06:40

provide syntax highlighting and for

06:42

reasons which I don't want to get into

06:44

this video but you need to host this

06:46

binary under your own main domain right

06:49

so you have to have that as a static

06:50

asset on your domain it's also bundled

06:52

internally by a node you know it's

06:54

bundled by the build pipeline itself

06:56

right so how let's say if something like

06:58

this happens to code Dam or something

06:59

like this happens to a website which is

07:01

using solution like this then how would

07:04

you would you really say that you know

07:06

you can just pick your binary and just

07:08

host it somewhere else I mean that's not

07:10

the solution right we have to develop

07:11

better Solutions than just blaming it on

07:14

the user so we normally discount these

07:16

kinds of attacks to about 20% of the

07:18

cost which would make your new bill

07:21

$20,000 I've currently reduced it to

07:23

about 5% which is $5,000 I know this is

07:26

still a lot of money and I apologize for

07:27

the inconvenience I mean this is is

07:29

somebody who's imagine it from a

07:31

scenario like you are not sitting in US

07:33

you're sitting in a country like India

07:35

where 5,000 USD is probably months of

07:39

your salary or months of your savings

07:41

right for an average developer or for an

07:43

average person who's by the way like

07:44

earning relatively well in India also

07:47

this this sort of behavior is something

07:49

which is you know which which can be

07:52

heart crushing it can be very brutal for

07:55

somebody who's trying to just host a

07:57

website a static website and they're

07:58

just experimenting seeing things so yeah

08:01

it's it's actually bad so he also posted

08:03

this on Hacker News and nlii CEO

08:06

response our support team has reached

08:08

out to the user from thread to let them

08:10

know that they are not getting charged

08:11

for this so of course like 100% of the

08:13

charges charges are removed it is

08:16

currently our policy to not shut down

08:17

free sides during traffic Spike that

08:20

doesn't match attack patterns but

08:21

instead for giving any bills from

08:23

legitimate mistakes after the fact

08:25

apologies that this didn't come through

08:27

in the initial supporter reply so see

08:29

here people have also did done some

08:32

pretty wild Acquisitions on nlii that

08:35

how on Earth can I as a consumer be sure

08:37

that nlii has not paid somebody to DS me

08:40

I mean this is completely fair question

08:43

I would say but these are some of the

08:45

questions where you can't do anything

08:47

about it right so you can't do anything

08:49

at all right because these are the

08:51

platforms they are controlled by these

08:53

platform companies right so at the end

08:55

of the day their databases are black

08:58

boxes their databases and what they

09:00

report to you fundamentally are black

09:02

boxes what we can just assume is that

09:04

everyone has the best interest for

09:06

customers in their minds and nobody's

09:09

like messing around or you know just

09:11

tweaking numbers or you know doing

09:13

things like these to charge or

09:15

overcharge customers that's the best we

09:17

can think about just to answer this

09:19

question there is no way you in in the

09:21

world can tell that if netlify did that

09:24

or did not do that because it's their

09:26

own systems at the end of the day you

09:28

can't tell it from outside like watching

09:30

it watching this video like this there

09:32

is nothing I can do to tell like what

09:33

happened so yeah that's basically it

09:36

about this one I think it ended well

09:40

with the person at least not paying

09:41

anything I don't see like there is any

09:43

sort of resolution so far on this that

09:46

what exactly happened like who dsed so

09:50

that's it for this video I think it's at

09:52

least the end was well for at least the

09:54

person who got dsed I don't think there

09:56

is still any update on like they say

09:59

they have the support hasn't come back

10:01

with the IP information so that's still

10:03

work in progress yeah what do you think

10:05

about this let me know in the comments

10:06

below make sure you like And subscribe

10:08

thank you so much for watching and I'll

10:09

see you in the next video really

10:26

soon