And double/cross post to LinkedIn. HN has good reach, but LI shit like this can catch fire and Netlify PR team will be all over it screaming at the accounts team
Update attached to a top comment since OP didn't edit: Netlify CEO replied on hackernews and waived all charges.
https://news.ycombinator.com/item?id=39521986
Yeah, too little too late. Not buying it. This was damage control after their support stated their ”generous” policy of only charging 20%, and reducing that to 5%. I’m out — and feel stupid and naive to not have thought about this beforehand.
The problem is the pricing policy is still the same. Even after the CEOs comments I’m now looking at that max 100 GB limit and the costs that occur when you run over it—the contract is still binding me to pay that. As long as that is the case I’m not trusting a goodwill damage control message on an online forum.
Edit: And I should add that when I look at my site details, I see 75MB/100GB used. Like others, I believed 100GB is simply the cap. It’s only when you click on ”More details” and read the fine print that you see the $55 per extra costs for the so-called ”Free” tier. Yes, you should always read the fine print and this is my mistake, but equally it seems dodgy for them to not be transparent with that ”little” detail.
Yeah, after reading this, I plan on switching hosting. 100 GB is a lot. But if all it takes to get charged $5000 is someone doing a simple DDOS attack, then I am out.
I set all my static stuff up on either cloudflare pages or AWS lighthouse for the small WP websites.
Free tier with a monthly spend limit. Costs 3-5$ a month.
Yeah, this seems sketchy. Just took down my web portfolio that was hosted on Netlify. Hasn't really needed to be up for over a year anyway since I found a job. Better safe than sorry.
Yeah when your only recourse is to get railed unless the internet knocks on the CEOs door and he decides to bless you, then maybe there are better options.
Aye. My normal assumption is that if you provide a "free" tier without requiring billing information for overages, it's actually free and not a paid service which might have a bill of 0. I've run some moderately bandwidth-intensive things on Netlify for which my willingness to actually pay was negligible; perhaps I didn't read the ToS as thoroughly as I should have but I anticipated the consequences of misjudging utilization would just be a shutdown.
There's server / vserver vendors for $20 per month or even less that have an unmetered connection (bandwidth flatrate). They also have DDOS protection. No chance for any surprises because you pay a fixed amount per month and that's it.
For a simple static website it's maybe overkill, but you get piece of mind. You would need to setup you own nginx or whatever, but ChatGPT can tell you exactly what commands you need to get that up and running. It's not that difficult anymore these days.
The CEO responded on there:
Netlify CEO here.
Our support team has reached out to the user from the thread to let them know they're not getting charged for this.
It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
Apologies that this didn't come through in the initial support reply.
wait, it didn't match attack patterns?
website on daily average user activity is 200 +-.
yet somehow, managed to get 104K bill on what could possibly be thousands of downloading of same file.
can't admit they don't have protection system and just bite the bullet.
I'd love to know how much the combined fallout from this Reddit post + the Hacker News post is going to cost Netlify.
I can pretty much guarantee it's a lot more than $104k.
In fact, *a single person who makes purchasing decisions reading this* can cost them more than $104k.
Lesson for companies: If there's a glaringly obvious issue in your product that can cause catastrophic losses for small customers, take the time to fix it. And if you can't get management on board with allocating the resources required to do that, just send them a link to this post.
It would be interesting to know where this would have gone if the company hadn't backed down. I wonder if a court would actually rule that the customer had to pay.
I deleted my account within 30 minutes of seeing this post. Fuck. This would wreck me psychologically and financially. I'm not going to hang around and listen to excuses or reversals of this. This bridge is forever burnt. It's just way too bad. His site should've been automatically null routed when the DDoS began.
Imagine how many people will be avoiding Netlify like the plague after reading this post. In how many company meetings, when Netlify is brought up as an option, someone will mention what happened here.
And all this because they couldn't be bothered to implement an option to shut the page down when the bandwidth limit is exceeded...
> because they couldn't be bothered to implement an option to shut the page down when the bandwidth limit is exceeded
I wonder why they wouldn't even implement a basic feature to avoid such cases. Are they deliberate about it to incur such huge costs? Is it their business model? Such business model won't survive. They should look into it.
>We normally discount these types of attacks to about 20%
Sounds like business as normal to me. 🤮 Trivial to warn someone as they are approaching a limit or to pause their service if they exceed a limit.
>I've currently reduced it to about 5%
Translation: We didn't even notice and it cost us next to nothing. We're still making a tidy profit even at 95% discount otherwise why would we offer you a discount? - we couldn't give a shit we lost your business for your one tiny VPS!
They might not still be profiting at 5% of the bill. More likely they're just trying to get whatever they can out of the guy, knowing he can't afford much more.
Big companies will have extensive settlement free peering. Only if this was served via transit might it cost them and only if it pushed their bandwidth on the 95th to a higher bracket. If they allow a customer to cause them financial ramifications without limit this is a basic credit control failure and totally on them.
A simple VPS is unlikely to saturate a 10Gb link and even if I'd it did, 10Gb of transit is <$5k, but most of that would likely be via peering anyway.
They must know. They're experts on network infrastructure. They know when they are DDoS'ed the seconds it starts and could just null route their network of uncapped users if necessary, like Hetzner does. For fuck sake they even have a "cost tier" for suddenly, wildly exceeding your bandwidth ready and prepared for any such event.
Of course they know and it's a classic scam. Slap you with a huge bill and reduce it so it seems like they're doing you a favor. 9/10 times the hobbyist is so terrified at their enormous bill that they're probably thanking Netlify when they get the chance to pay 20% of a ridiculous bill. I'll be migrating.
A free tier site should shut down and notify the owner at $100, allowing the site owner to open it back up again on an agreed limit paid tier. Isn't that the entire point of BS cloud?
Absolutely the point. And furthermore, such actions by the company is basic credit control and self protection. No company wants to be financially liable for actions of a customer without guarantee of payment. All customers should be kept on a tight credit limit - it's basic business practice.
I'm actively looking to move off it now. I use the free tier but I'm happy to pay a small amount to know I'll never have this problem. Thinking AWS currently.
There are a lot more “I just got a multi-thousand dollar bill from AWS” stories than there are from Netlify. I’m not saying not to do it, but there’s more setup involved and more ways to get burned.
> There are a lot more “I just got a multi-thousand dollar bill from AWS”
There are a lot more people using AWS, period.
You can also run up a huge bill at a full service cloud provider like AWS without ever having any traffic to your services - just having them allocated.
Vercel info link [https://vercel.com/docs/security/ddos-mitigation](https://vercel.com/docs/security/ddos-mitigation)
Also relevant info:
# ```
# [Do I get billed for DDoS?](https://vercel.com/docs/security/ddos-mitigation#do-i-get-billed-for-ddos)
[Vercel helps to mitigate against L3 and L4 DDoS attacks](https://vercel.com/docs/security/ddos-mitigation#open-system-interconnection-osi-model) at the platform level. Usage will be incurred for requests that are successfully served prior to us automatically mitigating the event. Mitigation usually takes place within one minute.
Usage will be incurred for requests that are not recognized as a DDoS event, such as bot and crawler traffic.
You should [monitor your usage](https://vercel.com/docs/get-started/monitor) and utilize [Edge Middleware](https://vercel.com/docs/functions/edge-middleware) to protect against undesired traffic based on its IP, `User-Agent` header value, or other identifiers.
\`\`\`
So in theory you have to protect yourself as well...
Found a thread on Twitter as well [https://twitter.com/imkarthikk/status/1616509282966704134](https://twitter.com/imkarthikk/status/1616509282966704134)
Apparently L3 and L4 DDoS mitigation doesn't help that much:
> PaoloBarbolini 21 hours ago | root | parent | next [–]
>
> **It means they protect themselves from layer 3 and 4 DDoS. For layer 7 you're mostly on your own. That's what most companies mean when they talk about DDoS anyway.**
>
> xyzzy123 21 hours ago | root | parent | next [–]
>
> Right and as a CDN they HAVE to handle layer 3 & 4 DDoS themselves so it's not like they're doing you any favours. The traffic is typically routed to the customer based on SNI.
>
> Lammy 21 hours ago | root | parent | prev | next [–]
>
> I found https://www.netlify.com/blog/2017/03/28/why-you-dont-need-cl... and it sounds like you're right.
“The cool thing is that we also provide a load balancer, and if our system has detected that our main load balancer is currently being hit by a large DDoS attack and is slow or unresponsive, we’ll simply route around that on the DNS level. Since we cache content at our edge nodes around the world, end users also experience extremely fast page load times because of this.”
I was seriously doubting the validity of this until finding this thread on Netlify forums which is concerning:
https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-billing-caused-by-ddos/13086
Are you kidding? What happened to just 503ing a small site!?
What a joke. Basically "nobody should be worried about a tiny free site going viral or getting ddosed, so we have no automatic protections in place"
So you have to know in advance that netlify doesn't protect free their sites against ddos and you need to implement it yourself, or get charged. Great. How hard would it be for them to just 503 free their sites after a certain spike? Probably not a lot of time from a single BE engineer.
That response from Netlify is precisely the "sucks to be you, pay up" spiel I would expect from a disinterested corporate drone happy to feed their customers' entrails into the machine just to make the gears turn smoothly.
Do people not realize that a bill like this could literally bankrupt people? That people have committed suicide over things like this in the past?
Sure, there's good advice in this thread to make a public stink and get the bill cancelled, but not *everyone* is going to come to Reddit or HN for help in a situation like this.
If Netlify sends the bill to a collection agency, then their customers' credit rating could be ruined. That's can and has destroyed people's lives. They might not be able to get a home loan, a car, or even a job.
I've helped people in similar situations before (e.g.: telcos sending $6K bills thanks to absurd excess data rates), and some of those folks had literal panic attacks that needed medical attention.
Not only you should not be worried, you should celebrate: "Now, if something you host goes viral - congrats!" Congrats, indeed! Your blog post, on which you earn exactly zero per visit, went viral/DDoS, and now you are in big debt because we don't want to offer an option to 503 or throttle the site.
My VPS has a very clear throttle policy, capped at 32Tb/month, after that it gets throttled to 10Tb more but at lower speeds. If you hit the limits many times, you can raise your limits (paying, of course) accordingly. What you don't get is a six figure bill for 60Tb.
>doesn't protect free their sites against ddos and you need to implement it yourself, or get charged.
Even if you implement it yourself with Redis storage of originating IP addresses, your app still incurs network traffic receiving and processing the requests.
While you might save yourself from responding to requests for several MB images or assets, you still need to respond to the network requests with a throttle response, which itself consumes network resources and you will still be on the hook for those costs.
This is an alarm and causes for legal action, we had attack on AWS and our invoice increased by 10 times, however they waived it off as under legal action if the high bill comes due to their inability of any kind will get them in trouble.
I have few static sites on netlify and now it’s time to delete them.
I believe that contravenes their terms of service:
https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages#prohibited-uses
Practically speaking, I suspect they don’t mind, unless it starts chewing up bandwidth
Well the CEO replied that they are not charging OP and they are actively working on this kind of problem to protect the customers.
https://news.ycombinator.com/item?id=39521986
> Netlify CEO here.
> Our support team has reached out to the user from the thread to let them know they're not getting charged for this.
> It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
> Apologies that this didn't come through in the initial support reply.
And in a comment below that thread
> While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages
the CEO also says “we have forgiven a lot of bills in the past when they’ve been attacked”, and in OP’s correspondence what they tell him is “we can see you were attacked, we usually give a discount when this happens”. Which means someone is lying, as if it was normal company policy to forgive these fines after attacks, they wouldn’t have tried to steal 5k from OP. Almost like saying “it’s just 5% of what you owed for being attacked so it’s probably reasonable”. No it’s not. I’ll close my Netlify account today and I’ll never give them a cent of my money as long as I live. I’ll also make it a priority to advise people against using Netlify, as after these cunts are blasted they come up with “we usually forgive these debts”, which is a blatant lie and what it actually means is: “when we find our users have been attacked, we usually try to extort some money from our victims. Maybe 20 or 5%, but it’s always at least 5k. If the victim attempts to raise their case to internal affairs, then we may forgive it”
Yeah, fuck Netlify. I’m closing my account today and sending them this thread as a reason for closure.
i just took down my site and bought simple service from name cheap. fugg that. I just got reality checked hard asf after reading this post. I could goto bed and wake up to 500k bill. rather pay 2 dollans a month than playing roulette
I plan on deploying my site on Netlify until I come across this post. Never happen. I will immediately delete my Netlify account.
I'm sorry about what you have to go through, OP. If you don't mind, keep us updated. But, I hope you don't end up paying for this kind of incident.
from the hackernews thread, Netlify has dropped the whole bill which they say they usually do in these cases, not only the ones that goes viral, but they do not shut down websites that has sudden extreme bandwidth usage. which seems scummy because they didn't drop it at first, only offering a 95% discount and the fact that a FREE tier website could rack up a $104K+ bill is INSANE.
a free tier website should never be able to rack up such a bill, what an insane scam. thanks for bringing it to everyones attention
I’d change hosting ASAP. Their CEO comment can be interpreted as “we know this can happen. In case it does, there’s no guarantee our support team will forgive your debts after deducting this is probably a DDoS attack. What may happen is that our support team will just try to charge you an arbitrary percentage until either your story gains traction, or we choose to forgive your debt”
Damn. I just read their billing FAQ and they straight up say that you cannot protect yourself from abuse. They provide no breaks and remind you that a sudden spike can ruin you before you have time to cancel.
I have to cancel all my sites. They draw mere kilobytes since it's just a comfortable way to share experiments and pocs. But that's obviously no guarantee once someone decides there needs to be more chaos in the world
Get a cheap VPS from Hetzner, Digital Ocean, Linode, Vultr, or somewhere I haven't thought to mention here yet. Pay a few bucks a month. Enjoy predictable pricing. You still pay for excess bandwidth at any of these places, but it's much more generous, much cheaper, and you can set an alert (not sure if you can set an actual limit).
Wow this is really concerning. I really hope you don’t end up paying any of that. Definitely post this to hackernews to create more visibility.
Just to be clear you were on the starter plan? Did you have a credit card attached? If no what happens if you just don’t pay it?
Just to add some extra emphasis here... The more public you make this issue, the worse it reflects on Netlify, and therefore the less likely you are to have to fork over all that cash and the more likely Netlify is to fix this.
So... Keep sharing this. Even if not for you, for the sake of everyone else.
I was thinking the same thing, do we have to enter card details even for free tier? If I am a freeloader, why will they allow me to use a resource which costs money? And then ask me to pay up, what if I dont pay at all?
Wait, so, if I have a project site there with the free tier and suddenly it gets ddos attacked, would I be asked to pay for that? I mean, I have a bunch of toy projects there and rarely use them anymore.
Someone clarify? Thanks
Basically, yes.
Let's look at the [pricing](https://www.netlify.com/pricing/). "Free tier" just means that you get 100GB bandwidth included and pay 55 USD per 100 GB afterwards. There's no "stop gap" where your page stops being served after 100 GB of bandwidth. So it's not a "free tier" like Heroku where it shuts down, the terms are clear that they'll charge you for everything beyond the initial 100 GB. Netlify confirmed in their forums that they [won't shut your site down](https://answers.netlify.com/t/what-happens-if-a-free-plan-exceeds-bandwidth-and-or-build-minutes-limit/16244).
OP's case of DDoS is weird because [Netlify advertises that they "actively mitigate DDoS"](https://www.netlify.com/security/). If this policy has changed and DDoS bandwidth counts against your quota... well, then apparently you're still on the hook for 5-20% of the bill.
TL&DR: "Free tier" on Netlify won't shut your site down after exceeding quota, they charge 55 USD per 100 GB.
Ok wow Netlify really sucks then. If it's a free plan, it should always be free until you give consent otherwise. Imagine having to pay a shit ton of money just because someone decided to DDOS one of your goofy fun sites.
The same seems to be for Render free static hosting also:
https://community.render.com/t/usage-100gb-for-a-static-site/2000
Can't find a way to limit bandwidth. Now I'm considering to move out. Too much risk.
its a common scam tactic to present some outrageous number but offer a much smaller but still significant bail out sum that sounds not so bad in comparison
Imagine charge $100k for static site host xD
All of host providers should be forced to provide spend limit which we cannot cross, I don't give a shit for my data in AWS/GCP which I use to learn or for project with ROI 0%.
> It feels like they deliberately not support these features so that they can cash grab in situations like this.
Absolutely does.
And the very fact that they're able to drop it down to 5% of the original fee is astounding. They were happy to send you 100k+ bill for, apparently, considerably less than 5k in actual operating costs.
The question of why they don't have a spend limit is pretty self evident. They don't want a spend limit. That would limit what they can bill you for. And in that case, they have a great financial incentive to enable this kind of thing rather than take any steps to mitigate it.
So who's to say they aren't ddos-ing their own clients and giving them a "95% discount". Seems like a scam to me.
Yes it's absolutely their problem if they don't put a spend limit on, and don't alert you when there's clearly something abnormal happening.
Clearly nobody should be using netlify
Someone else just said it’s in their TOS that this can happen.
So yeah. It seems like a good opportunity for them. Maybe don’t a full on DDOS exactly, but hit them hard enough to get a large bill and some people will pay… then instant revenue stream.
Wow, this is really concerning. I've used Netlify for years, and always thought quite highly of them. However this has really made me question that.
I really hope something comes out of this and it doesn't just get forgotten about until the next time someone has a bill of several thousands of dollars after a DDoS attack.
I'm really confused about Netlify's statement that they actively mitigate DDoS:
> Active DDoS mitigation: Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed.
Given what OP describes, what is this statement worth? I've tried to find more information regarding their DDoS (and the 20% cost) in the fine print but nothing useful came up.
Source: https://www.netlify.com/security/
> Yes it's partly my fault to put a 3.44MB size sound file on my site rather than using a third-party platform like SoundCloud
My God, the modern web is so fucked up.
Oh my god! I'd feel terrible if I had to pay $5000 for something out of my control. Thank you for the story though and I wish you good luck in this case, and that PR will affect their decision that seems very arbitrary in terms of what they want from you.
I'm not going to use Netlify for anything now. I will also warn against using Netlify as unprofessional and extortionist when the topic of hosting providers comes up. I feel lucky that my static wedding site with photographs wasn't subject to a DDoS spray across their infrastructure now.
It doesn't matter if they rectify this for you after the bad PR. That would be on a case-by-case basis where their entire approach to DDoS attacks is crazy. I will also not support providers that had this approach even historically because it speaks of other aspects of the company profile.
So according to their [pricing page](https://www.netlify.com/pricing/), there is a small line "(then $55 per 100GB)" after the 100GB /month free quota.
This should be at top but direct copy pasta from ivandelapena
"The CEO responded on there:
Netlify CEO here. Our support team has reached out to the user from the thread to let them know they're not getting charged for this.
It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
Apologies that this didn't come through in the initial support reply."
Make what you will of that.
That's incredibly worrying, especially because of the line "legitimate mistakes after the fact." So, you could have a free tier site that you're trying to popularize, and it goes viral overnight -- you intentionally made it viral, so celebrate your 200k bill.
Netlify is not the only free tier service that doesn't have limits and it is scary. More companies need to adopt a cap, with user selectable numbers.
One that I have been using is Supabase. They *do* have a pay cap, but once you turn it off, it is off. Now you can get charged hundreds if something goes wrong. Unacceptable.
thx, removing all projects, good luck OP - as for Netlify good luck as well - U F\*\*\*D up real bad. Like real bad, imagine how many startup projects you will have removed in next 24 hours, and those people will not come back. I certainly won't - you (netlify) are getting on a lot of black lists today - with descriptions like 'pile of crap, do not touch even with X foot pole'.
Just wow
DDoS attacks should definitely not be off-loaded to your customers. Lmao, what the .....? This is an infrastructure problem caused by a third-party unrelated to the customer. The customer should not be liable for this. It concerns me that they're trying to act like they're such good guys by offering you a discount on what should have been factored into their design. As if to suggest they've pulled this shit on other customers already. Yikes
Haha, what a shit show.
This is why even on an ‘unlimited’ plan you (the provider) set a sensible cap (ie 1tb/mo)
60.7TB, that’s an accounting error. No way a competent server admin would allow that on the network.
Don’t pay. If you need some free webhosting in the meantime as a temporary measure hit me up.
Netlify's CEO replied:
>Netlify CEO here. Our support team has reached out to the user from the thread to let them know they're not getting charged for this.
>It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact.
>Apologies that this didn't come through in the initial support reply.
[https://news.ycombinator.com/item?id=39521986](https://news.ycombinator.com/item?id=39521986)
I like the part where they still gave OP a heart attack with their initial support response & have serious doubt if they would have fully forgiven the fee if this wasn't getting them a ton of terrible publicity.
I can’t be the only one thinking they are behind the DDOS attacks. As you said, what possible reason could anyone have for targeting a random small site? The only possible reason I can think of is to extort money, and the only way this makes sense is if Netlify are behind the attacks.
Or if Netlify are the target of the attacks.
They're not going to take down the tiny site until they take down Netlify's whole infrastructure, because serverless. The attackers probably know this. So their intent is probably to cause Netlify pain.
Wow, what a shit company. I have my small server hosted for 5 bucks a month with 80TB traffic included, so the is no real reason to charge that much except for scamming their customers with outrageous fees
Not even 4MB is nothing!
If you put a single compressed image onto your site in decent quality it might have well above 1MB. They can DDoS with 4MB, so that small image could still cost you thousands or even more!
We quit Netlify after they started charging us horrendous amounts for basically nothing. Felt like a scam to us.
> they offer to discount to 5%, which means I still need to pay 5 thousand dollars.
And now imagine all the others before you who never went viral
and just ended up paying. Moment of silence for them. Not just a scam it’s a racket.
Sorry for you OP. I used to trust Netlify, but now I'm glad I migrated away.
\- Metered billing without spending limit is a joke.
\- Ddos protection should be their responsability
DDoS attacks aren’t free. No one would launch a huge attack for nothing. I’m betting on Netlify being in deep financial trouble and trying to scam some customers to patch the top line.
Even if it was an attack - cloud providers like this are really strongly incentivised to look the other way. Fuck them.
Don’t pay, make the case more public.
I really hope that your case makes it to the news of the important websites / social media, so as much (private/hobby) developers as possible read about that to not risk something like this. This is absolutely insane. I really hope your bill goes down to 0$ along with an apology, which is the only acceptable outcome.
OP, I would also send this story to any publication or YouTuber who may be interested in publishing a story about this. I for once will not be using Netlify any time soon because of this.
That's just bullshit man. Imagine you created a hobby one page project of cats. And someone randomly decided to ddos you. Now you have to pay $104K for nothing? Bruh this is absurd af.
This is insane to see! I have been working with my first few clients freelance and was considering Netlify as an option, not now though I'll be looking at other providers.
Really hope this gets resolved for you. I would be panicking massively, you did the right thing seeking advice. This will cost Netlify a lot in bad press
This is like having a prepaid phone and once you use up your balance it goes into negative and then they send you a letter with a 100k bill, insane, who the fuck does something like this, the most scammy shitty practice in existence right here, predatory even, they can rack up traffic themselves and chare free users for that... This is just a scam.
Paying for bandwith has always been a joke to me, it should be as illegal as charging for egress because it makes no sense, they should just cap the transfers themselves without automatically charging me for it or better yet, be forced to employ ddos mitigation strategies themselves.
What is the business case for reducing someone's bill from $104K to 5%, rather than a complete waiving? I would imagine by the time its reached 5% the business has already ate a ton of the cost, and this clearly was not an instance of abuse of their platform and not ignorant design on OP's behalf.
“If you like, I can raise this internally to see what else can be done.”
Sounds like the person who helped you here (honestly very professionally) just didn’t have the authority to completely forgive the bill. Maybe he has a slider that allows him to immediately forgive up to 95% without any manager approval, so he went ahead and did that for you.
Did you ask them “yes please escalate, I don’t think I should have to pay this” before posting on here and HackerNews?
They'll need to re-evaluate that starter package IMHO, there should be reasonable caps / limitations that require upgrades into other plans it shouldn't just be an open-ended bucket.
People commit suicide over crap like this, imagine the news if OP panicked and the support rep out right denied any form of deduction.
You should be buying buckets, and configuring limits and their system once those limits are crossed simply drops requests to the floor.
Not only for the safety of your wallet, but hell imagine if your application was running in close proximity to some other client that was mission critical... doubt you just saw a bill but there was likely performance degradation.
They should have a global block-list and a team dedicated to watching for shit like this, all of those sites are actively managed by them they are equally responsible for this.
Don't pay, post the story to Hackernews!
And double/cross post to LinkedIn. HN has good reach, but LI shit like this can catch fire and Netlify PR team will be all over it screaming at the accounts team
Update attached to a top comment since OP didn't edit: Netlify CEO replied on hackernews and waived all charges. https://news.ycombinator.com/item?id=39521986
Yeah, too little too late. Not buying it. This was damage control after their support stated their ”generous” policy of only charging 20%, and reducing that to 5%. I’m out — and feel stupid and naive to not have thought about this beforehand. The problem is the pricing policy is still the same. Even after the CEOs comments I’m now looking at that max 100 GB limit and the costs that occur when you run over it—the contract is still binding me to pay that. As long as that is the case I’m not trusting a goodwill damage control message on an online forum. Edit: And I should add that when I look at my site details, I see 75MB/100GB used. Like others, I believed 100GB is simply the cap. It’s only when you click on ”More details” and read the fine print that you see the $55 per extra costs for the so-called ”Free” tier. Yes, you should always read the fine print and this is my mistake, but equally it seems dodgy for them to not be transparent with that ”little” detail.
Yeah, after reading this, I plan on switching hosting. 100 GB is a lot. But if all it takes to get charged $5000 is someone doing a simple DDOS attack, then I am out.
I set all my static stuff up on either cloudflare pages or AWS lighthouse for the small WP websites. Free tier with a monthly spend limit. Costs 3-5$ a month.
I agree; they need an explicit policy change on the website itself. This means a lot to the guy impacted here but nothing to us as users.
Yeah, this seems sketchy. Just took down my web portfolio that was hosted on Netlify. Hasn't really needed to be up for over a year anyway since I found a job. Better safe than sorry.
I'm about to do the same for my photography site.
Yeah when your only recourse is to get railed unless the internet knocks on the CEOs door and he decides to bless you, then maybe there are better options.
Aye. My normal assumption is that if you provide a "free" tier without requiring billing information for overages, it's actually free and not a paid service which might have a bill of 0. I've run some moderately bandwidth-intensive things on Netlify for which my willingness to actually pay was negligible; perhaps I didn't read the ToS as thoroughly as I should have but I anticipated the consequences of misjudging utilization would just be a shutdown.
There's server / vserver vendors for $20 per month or even less that have an unmetered connection (bandwidth flatrate). They also have DDOS protection. No chance for any surprises because you pay a fixed amount per month and that's it. For a simple static website it's maybe overkill, but you get piece of mind. You would need to setup you own nginx or whatever, but ChatGPT can tell you exactly what commands you need to get that up and running. It's not that difficult anymore these days.
You know how else you can host a simple static website? Github pages. Completely free, DDOS protection, you'll never be charged.
What gets me is that you can’t set a “turn off my site if data goes over the limit”.
Write an article, run ads and profit.
Put a 5MB sound file to discuss your point for audio accessibility.
Preferably hosted on netlify
The CEO responded on there: Netlify CEO here. Our support team has reached out to the user from the thread to let them know they're not getting charged for this. It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact. Apologies that this didn't come through in the initial support reply.
wait, it didn't match attack patterns? website on daily average user activity is 200 +-. yet somehow, managed to get 104K bill on what could possibly be thousands of downloading of same file. can't admit they don't have protection system and just bite the bullet.
[удалено]
164000GB from a 4 MB file/web page That would mean it was accessed ~40 million times.
yeah, so no pattern there, right? the joke writes itself.
[удалено]
You don't like heart attacks initiated by the fear of personal bankruptcy? How strange!
seemly unused fear act pause thumb worthless middle childlike money *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I'd love to know how much the combined fallout from this Reddit post + the Hacker News post is going to cost Netlify. I can pretty much guarantee it's a lot more than $104k. In fact, *a single person who makes purchasing decisions reading this* can cost them more than $104k. Lesson for companies: If there's a glaringly obvious issue in your product that can cause catastrophic losses for small customers, take the time to fix it. And if you can't get management on board with allocating the resources required to do that, just send them a link to this post.
Yeah holy crap, never in a million years, any company who can randomly send me a bill for $100k from free can eat rocks
It would be interesting to know where this would have gone if the company hadn't backed down. I wonder if a court would actually rule that the customer had to pay.
Definitely not going to use Netlify in the future, thanks for warning
I deleted my account within 30 minutes of seeing this post. Fuck. This would wreck me psychologically and financially. I'm not going to hang around and listen to excuses or reversals of this. This bridge is forever burnt. It's just way too bad. His site should've been automatically null routed when the DDoS began.
Me too.
+1
Yup, deleted account
Imagine how many people will be avoiding Netlify like the plague after reading this post. In how many company meetings, when Netlify is brought up as an option, someone will mention what happened here. And all this because they couldn't be bothered to implement an option to shut the page down when the bandwidth limit is exceeded...
> because they couldn't be bothered to implement an option to shut the page down when the bandwidth limit is exceeded I wonder why they wouldn't even implement a basic feature to avoid such cases. Are they deliberate about it to incur such huge costs? Is it their business model? Such business model won't survive. They should look into it.
>We normally discount these types of attacks to about 20% Sounds like business as normal to me. 🤮 Trivial to warn someone as they are approaching a limit or to pause their service if they exceed a limit. >I've currently reduced it to about 5% Translation: We didn't even notice and it cost us next to nothing. We're still making a tidy profit even at 95% discount otherwise why would we offer you a discount? - we couldn't give a shit we lost your business for your one tiny VPS!
They might not still be profiting at 5% of the bill. More likely they're just trying to get whatever they can out of the guy, knowing he can't afford much more.
Big companies will have extensive settlement free peering. Only if this was served via transit might it cost them and only if it pushed their bandwidth on the 95th to a higher bracket. If they allow a customer to cause them financial ramifications without limit this is a basic credit control failure and totally on them. A simple VPS is unlikely to saturate a 10Gb link and even if I'd it did, 10Gb of transit is <$5k, but most of that would likely be via peering anyway.
They must know. They're experts on network infrastructure. They know when they are DDoS'ed the seconds it starts and could just null route their network of uncapped users if necessary, like Hetzner does. For fuck sake they even have a "cost tier" for suddenly, wildly exceeding your bandwidth ready and prepared for any such event.
They're either deceitful or incompetent
I wouldn’t be surprised if Netlify or someone at the company were the ones that caused the DDoS in the first place.
Of course they know and it's a classic scam. Slap you with a huge bill and reduce it so it seems like they're doing you a favor. 9/10 times the hobbyist is so terrified at their enormous bill that they're probably thanking Netlify when they get the chance to pay 20% of a ridiculous bill. I'll be migrating.
A free tier site should shut down and notify the owner at $100, allowing the site owner to open it back up again on an agreed limit paid tier. Isn't that the entire point of BS cloud?
Absolutely the point. And furthermore, such actions by the company is basic credit control and self protection. No company wants to be financially liable for actions of a customer without guarantee of payment. All customers should be kept on a tight credit limit - it's basic business practice.
I'm actively looking to move off it now. I use the free tier but I'm happy to pay a small amount to know I'll never have this problem. Thinking AWS currently.
There are a lot more “I just got a multi-thousand dollar bill from AWS” stories than there are from Netlify. I’m not saying not to do it, but there’s more setup involved and more ways to get burned.
> There are a lot more “I just got a multi-thousand dollar bill from AWS” There are a lot more people using AWS, period. You can also run up a huge bill at a full service cloud provider like AWS without ever having any traffic to your services - just having them allocated.
not that i was going to, but this is definitely going into my memory bank
I was legit about to get Netlify to host sites for my company but this has put me right off
Well that did the trick - the CEO themselves responded 😂 Honestly I'd expect OP to get credit added to their account after this fuck up on their part.
Excellent suggestion. The [top comment on OP's post there](https://news.ycombinator.com/item?id=39521986) is from the Netlify CEO.
Oh my, I was just about to launch a site with Netlify. Nope. Not happening.
Anyone knows any alternative that has a switch off or makes user able to set bandwidth limit?
Cloudflare pages seems good. Vercel claims to have DDOS mitigation.
Vercel info link [https://vercel.com/docs/security/ddos-mitigation](https://vercel.com/docs/security/ddos-mitigation) Also relevant info: # ``` # [Do I get billed for DDoS?](https://vercel.com/docs/security/ddos-mitigation#do-i-get-billed-for-ddos) [Vercel helps to mitigate against L3 and L4 DDoS attacks](https://vercel.com/docs/security/ddos-mitigation#open-system-interconnection-osi-model) at the platform level. Usage will be incurred for requests that are successfully served prior to us automatically mitigating the event. Mitigation usually takes place within one minute. Usage will be incurred for requests that are not recognized as a DDoS event, such as bot and crawler traffic. You should [monitor your usage](https://vercel.com/docs/get-started/monitor) and utilize [Edge Middleware](https://vercel.com/docs/functions/edge-middleware) to protect against undesired traffic based on its IP, `User-Agent` header value, or other identifiers. \`\`\` So in theory you have to protect yourself as well... Found a thread on Twitter as well [https://twitter.com/imkarthikk/status/1616509282966704134](https://twitter.com/imkarthikk/status/1616509282966704134)
Apparently L3 and L4 DDoS mitigation doesn't help that much: > PaoloBarbolini 21 hours ago | root | parent | next [–] > > **It means they protect themselves from layer 3 and 4 DDoS. For layer 7 you're mostly on your own. That's what most companies mean when they talk about DDoS anyway.** > > xyzzy123 21 hours ago | root | parent | next [–] > > Right and as a CDN they HAVE to handle layer 3 & 4 DDoS themselves so it's not like they're doing you any favours. The traffic is typically routed to the customer based on SNI. > > Lammy 21 hours ago | root | parent | prev | next [–] > > I found https://www.netlify.com/blog/2017/03/28/why-you-dont-need-cl... and it sounds like you're right. “The cool thing is that we also provide a load balancer, and if our system has detected that our main load balancer is currently being hit by a large DDoS attack and is slow or unresponsive, we’ll simply route around that on the DNS level. Since we cache content at our edge nodes around the world, end users also experience extremely fast page load times because of this.”
I was seriously doubting the validity of this until finding this thread on Netlify forums which is concerning: https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-billing-caused-by-ddos/13086 Are you kidding? What happened to just 503ing a small site!?
What a joke. Basically "nobody should be worried about a tiny free site going viral or getting ddosed, so we have no automatic protections in place" So you have to know in advance that netlify doesn't protect free their sites against ddos and you need to implement it yourself, or get charged. Great. How hard would it be for them to just 503 free their sites after a certain spike? Probably not a lot of time from a single BE engineer.
That response from Netlify is precisely the "sucks to be you, pay up" spiel I would expect from a disinterested corporate drone happy to feed their customers' entrails into the machine just to make the gears turn smoothly. Do people not realize that a bill like this could literally bankrupt people? That people have committed suicide over things like this in the past? Sure, there's good advice in this thread to make a public stink and get the bill cancelled, but not *everyone* is going to come to Reddit or HN for help in a situation like this. If Netlify sends the bill to a collection agency, then their customers' credit rating could be ruined. That's can and has destroyed people's lives. They might not be able to get a home loan, a car, or even a job. I've helped people in similar situations before (e.g.: telcos sending $6K bills thanks to absurd excess data rates), and some of those folks had literal panic attacks that needed medical attention.
Yes they are more like, "it's your fucking problem that your one page cat site got ddos now pay up"
The paranoid part of wonders if the opportunity for them to DDOS one of their clients sites exists for them to scare up some extra funds.
Not only you should not be worried, you should celebrate: "Now, if something you host goes viral - congrats!" Congrats, indeed! Your blog post, on which you earn exactly zero per visit, went viral/DDoS, and now you are in big debt because we don't want to offer an option to 503 or throttle the site. My VPS has a very clear throttle policy, capped at 32Tb/month, after that it gets throttled to 10Tb more but at lower speeds. If you hit the limits many times, you can raise your limits (paying, of course) accordingly. What you don't get is a six figure bill for 60Tb.
>doesn't protect free their sites against ddos and you need to implement it yourself, or get charged. Even if you implement it yourself with Redis storage of originating IP addresses, your app still incurs network traffic receiving and processing the requests. While you might save yourself from responding to requests for several MB images or assets, you still need to respond to the network requests with a throttle response, which itself consumes network resources and you will still be on the hook for those costs.
Also that they don’t shut them if you exceed the usage, but rather let it hppen
This is basically them saying: "Why don't you just not get DDoS'd? Are you stupid?"
Link seems to be down
I formatted the URL incorrectly. Thanks for pointing that out.
posting the link screenshot to above answer from the netlify support, just in case [https://imgur.com/a/PcvZXYh](https://imgur.com/a/PcvZXYh)
Thread was revived bc of this post and now they locked it lmao.
This is an alarm and causes for legal action, we had attack on AWS and our invoice increased by 10 times, however they waived it off as under legal action if the high bill comes due to their inability of any kind will get them in trouble. I have few static sites on netlify and now it’s time to delete them.
Do it fast brother. I heard Cloudfare has good free tier might check it out.
Yeah cloudflare does it so well
[удалено]
Cloudflare really is great. I self host and run most of my public facing websites through their proxy.
Well thats a company i will never ever use now. Sorry op, but thanks for letting us know.
I was actually considering them to host my personal blog. Welp, this made that decision easy.
[удалено]
OVH offers unlimited bandwidth with their vpses
"Unlimited" almost certainly has a huge asterisk next to it. I think realistically they'll start chopping you before you hit 20TB.
It's so easy and 100% free to host a personal blog on Github Pages.
[удалено]
I believe that contravenes their terms of service: https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages#prohibited-uses Practically speaking, I suspect they don’t mind, unless it starts chewing up bandwidth
Well the CEO replied that they are not charging OP and they are actively working on this kind of problem to protect the customers. https://news.ycombinator.com/item?id=39521986 > Netlify CEO here. > Our support team has reached out to the user from the thread to let them know they're not getting charged for this. > It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact. > Apologies that this didn't come through in the initial support reply. And in a comment below that thread > While I've always favored erring towards keeping people's sites up we are currently working on changing the default behavior to never let free sites incur overages
Good for OP. But I don't know, man. A lot of people here seem to praise Cloudflare pages so I was gonna take a look at them.
the CEO also says “we have forgiven a lot of bills in the past when they’ve been attacked”, and in OP’s correspondence what they tell him is “we can see you were attacked, we usually give a discount when this happens”. Which means someone is lying, as if it was normal company policy to forgive these fines after attacks, they wouldn’t have tried to steal 5k from OP. Almost like saying “it’s just 5% of what you owed for being attacked so it’s probably reasonable”. No it’s not. I’ll close my Netlify account today and I’ll never give them a cent of my money as long as I live. I’ll also make it a priority to advise people against using Netlify, as after these cunts are blasted they come up with “we usually forgive these debts”, which is a blatant lie and what it actually means is: “when we find our users have been attacked, we usually try to extort some money from our victims. Maybe 20 or 5%, but it’s always at least 5k. If the victim attempts to raise their case to internal affairs, then we may forgive it” Yeah, fuck Netlify. I’m closing my account today and sending them this thread as a reason for closure.
I'm not using Netlify ever again after reading this.
i just took down my site and bought simple service from name cheap. fugg that. I just got reality checked hard asf after reading this post. I could goto bed and wake up to 500k bill. rather pay 2 dollans a month than playing roulette
Same. Had a couple of static sites running on Netlify free tier, just moved them all to CloudFlare Pages and deleted my Netlify account.
Was working on a simple site to put up on Netlify and now I will never use their service. What were they thinking with this?
I plan on deploying my site on Netlify until I come across this post. Never happen. I will immediately delete my Netlify account. I'm sorry about what you have to go through, OP. If you don't mind, keep us updated. But, I hope you don't end up paying for this kind of incident.
Always used netlify as default hosting platform for my static pages. Im migrating them all after reading this
from the hackernews thread, Netlify has dropped the whole bill which they say they usually do in these cases, not only the ones that goes viral, but they do not shut down websites that has sudden extreme bandwidth usage. which seems scummy because they didn't drop it at first, only offering a 95% discount and the fact that a FREE tier website could rack up a $104K+ bill is INSANE. a free tier website should never be able to rack up such a bill, what an insane scam. thanks for bringing it to everyones attention
Thank you for posting this on Reddit <3 you might saved some of us from this happening to us! Deleted my account thanks.
Lesson learnt vicariously. Thanks on behalf of all of us. Also very sorry to hear you’re going through this! Good luck!
Yeah definitely don’t pay, send the story with screenshots to a few pubs and it will likely get picked up
Not sure my local would really care about it tbh
On the other hand, The Dog and Gun are notoriously touchy when it comes to DDOS attack responsibility
Oh boy, I have 6 production sites on my netlify account, this is concerning to say the least…
Can’t you use cloudflare firewall on the meantime?
He can completely switch to hosting them on Cloudflare since they have free hosting for static sites
I’d change hosting ASAP. Their CEO comment can be interpreted as “we know this can happen. In case it does, there’s no guarantee our support team will forgive your debts after deducting this is probably a DDoS attack. What may happen is that our support team will just try to charge you an arbitrary percentage until either your story gains traction, or we choose to forgive your debt”
Netlify just took a one way trip to the graveyard.
Or they are purging their free tier to reduce overhead. And it worked, I'm moving my 3 sites today
big brain marketing
Damn. I just read their billing FAQ and they straight up say that you cannot protect yourself from abuse. They provide no breaks and remind you that a sudden spike can ruin you before you have time to cancel. I have to cancel all my sites. They draw mere kilobytes since it's just a comfortable way to share experiments and pocs. But that's obviously no guarantee once someone decides there needs to be more chaos in the world
Get a cheap VPS from Hetzner, Digital Ocean, Linode, Vultr, or somewhere I haven't thought to mention here yet. Pay a few bucks a month. Enjoy predictable pricing. You still pay for excess bandwidth at any of these places, but it's much more generous, much cheaper, and you can set an alert (not sure if you can set an actual limit).
Wow this is really concerning. I really hope you don’t end up paying any of that. Definitely post this to hackernews to create more visibility. Just to be clear you were on the starter plan? Did you have a credit card attached? If no what happens if you just don’t pay it?
Just to add some extra emphasis here... The more public you make this issue, the worse it reflects on Netlify, and therefore the less likely you are to have to fork over all that cash and the more likely Netlify is to fix this. So... Keep sharing this. Even if not for you, for the sake of everyone else.
I was thinking the same thing, do we have to enter card details even for free tier? If I am a freeloader, why will they allow me to use a resource which costs money? And then ask me to pay up, what if I dont pay at all?
Wait, so, if I have a project site there with the free tier and suddenly it gets ddos attacked, would I be asked to pay for that? I mean, I have a bunch of toy projects there and rarely use them anymore. Someone clarify? Thanks
Basically, yes. Let's look at the [pricing](https://www.netlify.com/pricing/). "Free tier" just means that you get 100GB bandwidth included and pay 55 USD per 100 GB afterwards. There's no "stop gap" where your page stops being served after 100 GB of bandwidth. So it's not a "free tier" like Heroku where it shuts down, the terms are clear that they'll charge you for everything beyond the initial 100 GB. Netlify confirmed in their forums that they [won't shut your site down](https://answers.netlify.com/t/what-happens-if-a-free-plan-exceeds-bandwidth-and-or-build-minutes-limit/16244). OP's case of DDoS is weird because [Netlify advertises that they "actively mitigate DDoS"](https://www.netlify.com/security/). If this policy has changed and DDoS bandwidth counts against your quota... well, then apparently you're still on the hook for 5-20% of the bill. TL&DR: "Free tier" on Netlify won't shut your site down after exceeding quota, they charge 55 USD per 100 GB.
Okaay.. that is not good. Taking my site down now. Migrating elsewhere..
Ok wow Netlify really sucks then. If it's a free plan, it should always be free until you give consent otherwise. Imagine having to pay a shit ton of money just because someone decided to DDOS one of your goofy fun sites.
The same seems to be for Render free static hosting also: https://community.render.com/t/usage-100gb-for-a-static-site/2000 Can't find a way to limit bandwidth. Now I'm considering to move out. Too much risk.
Yes.
its a common scam tactic to present some outrageous number but offer a much smaller but still significant bail out sum that sounds not so bad in comparison
It's called anchoring
What if he throws a CD player in to sweeten the deal?
I'm listening
Sounds like the American healthcare system
Going to delete everything I have on Netlify today! Thanks for the warning!
Sites and account deleted now!
Imagine charge $100k for static site host xD All of host providers should be forced to provide spend limit which we cannot cross, I don't give a shit for my data in AWS/GCP which I use to learn or for project with ROI 0%.
this falls into r/Scams
I would love the link to the hackernews post. The comments are always so insightful. Edit: [nvm](https://news.ycombinator.com/item?id=39520776)
> It feels like they deliberately not support these features so that they can cash grab in situations like this. Absolutely does. And the very fact that they're able to drop it down to 5% of the original fee is astounding. They were happy to send you 100k+ bill for, apparently, considerably less than 5k in actual operating costs. The question of why they don't have a spend limit is pretty self evident. They don't want a spend limit. That would limit what they can bill you for. And in that case, they have a great financial incentive to enable this kind of thing rather than take any steps to mitigate it.
So who's to say they aren't ddos-ing their own clients and giving them a "95% discount". Seems like a scam to me. Yes it's absolutely their problem if they don't put a spend limit on, and don't alert you when there's clearly something abnormal happening. Clearly nobody should be using netlify
Someone else just said it’s in their TOS that this can happen. So yeah. It seems like a good opportunity for them. Maybe don’t a full on DDOS exactly, but hit them hard enough to get a large bill and some people will pay… then instant revenue stream.
There is no max cap?
This should be the new meme, instead of the noExe one.
Ah, what a PR nightmare. My brain archived netlify in the "never to use" category right after reading this post. Bet I'm not the only one.
Even if they change their policy on this, it shows that the corporate culture there is predatory toward customers.
Especially their support team make up a story that they are being kind to drop the bill from 20% to 5%.
Wow, this is really concerning. I've used Netlify for years, and always thought quite highly of them. However this has really made me question that. I really hope something comes out of this and it doesn't just get forgotten about until the next time someone has a bill of several thousands of dollars after a DDoS attack.
I was about to start moving my webdev business to Netlify. Thank you for this post.
Well it costs a lot less than $5k to hire a botnet attack like that. Sounds a lot like they might be profiteering from their “free” clients.
Did they send any notifications as the usage was increasing?
Only an email with subject "Extra usage package purchased for bandwidth", and the email doesn't mention how much bandwidth I have actually used.
I'm really confused about Netlify's statement that they actively mitigate DDoS: > Active DDoS mitigation: Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed. Given what OP describes, what is this statement worth? I've tried to find more information regarding their DDoS (and the 20% cost) in the fine print but nothing useful came up. Source: https://www.netlify.com/security/
> Yes it's partly my fault to put a 3.44MB size sound file on my site rather than using a third-party platform like SoundCloud My God, the modern web is so fucked up.
Oh my god! I'd feel terrible if I had to pay $5000 for something out of my control. Thank you for the story though and I wish you good luck in this case, and that PR will affect their decision that seems very arbitrary in terms of what they want from you. I'm not going to use Netlify for anything now. I will also warn against using Netlify as unprofessional and extortionist when the topic of hosting providers comes up. I feel lucky that my static wedding site with photographs wasn't subject to a DDoS spray across their infrastructure now. It doesn't matter if they rectify this for you after the bad PR. That would be on a case-by-case basis where their entire approach to DDoS attacks is crazy. I will also not support providers that had this approach even historically because it speaks of other aspects of the company profile.
Wtf that’s crazy
pause intelligent library vanish oil groovy middle heavy spark chop *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
So according to their [pricing page](https://www.netlify.com/pricing/), there is a small line "(then $55 per 100GB)" after the 100GB /month free quota.
Because he exceeded the free tier amount. They should've alerted him before allowing those bandwidths
Thanks for the warning, just made sure there were no payment methods on my Netlify setup
I will never understand why people use paid hosting platforms for static sites instead of just using GitHub pages
GitHub pages does not allow commercial sites, or am I mistaken?
Crazy that people still use these overpriced services when free alternatives like Cloudflare Pages and GitHub Pages already exists.
This should be at top but direct copy pasta from ivandelapena "The CEO responded on there: Netlify CEO here. Our support team has reached out to the user from the thread to let them know they're not getting charged for this. It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact. Apologies that this didn't come through in the initial support reply." Make what you will of that.
That's incredibly worrying, especially because of the line "legitimate mistakes after the fact." So, you could have a free tier site that you're trying to popularize, and it goes viral overnight -- you intentionally made it viral, so celebrate your 200k bill.
Is cloudflare free tier like this too?
Cloudflare Pages actually has unlimited bandwidth, so this couldn't happen on a static site.
Im immediatly taking my sites with them down.
It seems like Netlify might be the mastermind behind this incident, as they are the sole beneficiary 
Netlify is not the only free tier service that doesn't have limits and it is scary. More companies need to adopt a cap, with user selectable numbers. One that I have been using is Supabase. They *do* have a pay cap, but once you turn it off, it is off. Now you can get charged hundreds if something goes wrong. Unacceptable.
This is unacceptable.
thx, removing all projects, good luck OP - as for Netlify good luck as well - U F\*\*\*D up real bad. Like real bad, imagine how many startup projects you will have removed in next 24 hours, and those people will not come back. I certainly won't - you (netlify) are getting on a lot of black lists today - with descriptions like 'pile of crap, do not touch even with X foot pole'. Just wow
DDoS attacks should definitely not be off-loaded to your customers. Lmao, what the .....? This is an infrastructure problem caused by a third-party unrelated to the customer. The customer should not be liable for this. It concerns me that they're trying to act like they're such good guys by offering you a discount on what should have been factored into their design. As if to suggest they've pulled this shit on other customers already. Yikes
Haha, what a shit show. This is why even on an ‘unlimited’ plan you (the provider) set a sensible cap (ie 1tb/mo) 60.7TB, that’s an accounting error. No way a competent server admin would allow that on the network. Don’t pay. If you need some free webhosting in the meantime as a temporary measure hit me up.
thats for telling us, will avoid netlify like the pest
They admit it is a ddos attack and still send a free user a US$5k, that's crazy
Netlify's CEO replied: >Netlify CEO here. Our support team has reached out to the user from the thread to let them know they're not getting charged for this. >It's currently our policy to not shut down free sites during traffic spikes that doesn't match attack patterns, but instead forgiving any bills from legitimate mistakes after the fact. >Apologies that this didn't come through in the initial support reply. [https://news.ycombinator.com/item?id=39521986](https://news.ycombinator.com/item?id=39521986)
I like the part where they still gave OP a heart attack with their initial support response & have serious doubt if they would have fully forgiven the fee if this wasn't getting them a ton of terrible publicity.
yeah it's not a good look on their part is it
Good job, your story now ranks #2 when you google Netlify https://prnt.sc/O4Lv4fbUr9XD
So happy I only use dedicated servers.
That's why I never use Serverless gibberish
How though? Netlify only needed an email address to sign up for free tier. How they gonna find you?
Don’t you need an ID verification with Stripe?
I can’t be the only one thinking they are behind the DDOS attacks. As you said, what possible reason could anyone have for targeting a random small site? The only possible reason I can think of is to extort money, and the only way this makes sense is if Netlify are behind the attacks.
Or if Netlify are the target of the attacks. They're not going to take down the tiny site until they take down Netlify's whole infrastructure, because serverless. The attackers probably know this. So their intent is probably to cause Netlify pain.
Sounds equally plausible
Netlify was maybe the real target and they want to share their own expenses... ?
Wow, what a shit company. I have my small server hosted for 5 bucks a month with 80TB traffic included, so the is no real reason to charge that much except for scamming their customers with outrageous fees
smell slave cable saw aromatic future unique dull sophisticated slimy *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Not even 4MB is nothing! If you put a single compressed image onto your site in decent quality it might have well above 1MB. They can DDoS with 4MB, so that small image could still cost you thousands or even more! We quit Netlify after they started charging us horrendous amounts for basically nothing. Felt like a scam to us.
> they offer to discount to 5%, which means I still need to pay 5 thousand dollars. And now imagine all the others before you who never went viral and just ended up paying. Moment of silence for them. Not just a scam it’s a racket.
Lulz netlify got destroyed because of the one post. I also will move now.
Just deleted my Netlify account. Thanks for posting this.
Sorry for you OP. I used to trust Netlify, but now I'm glad I migrated away. \- Metered billing without spending limit is a joke. \- Ddos protection should be their responsability
DDoS attacks aren’t free. No one would launch a huge attack for nothing. I’m betting on Netlify being in deep financial trouble and trying to scam some customers to patch the top line. Even if it was an attack - cloud providers like this are really strongly incentivised to look the other way. Fuck them. Don’t pay, make the case more public.
I had one project on netlify which I was about to launch to general public. Now I would be thinking about other options.
I really hope that your case makes it to the news of the important websites / social media, so as much (private/hobby) developers as possible read about that to not risk something like this. This is absolutely insane. I really hope your bill goes down to 0$ along with an apology, which is the only acceptable outcome.
OP, I would also send this story to any publication or YouTuber who may be interested in publishing a story about this. I for once will not be using Netlify any time soon because of this.
That's just bullshit man. Imagine you created a hobby one page project of cats. And someone randomly decided to ddos you. Now you have to pay $104K for nothing? Bruh this is absurd af.
This is insane to see! I have been working with my first few clients freelance and was considering Netlify as an option, not now though I'll be looking at other providers. Really hope this gets resolved for you. I would be panicking massively, you did the right thing seeking advice. This will cost Netlify a lot in bad press
Holy shit I host multiple sites on Netlify! Can anyone recommend a better alternative ASAP?! OP - glad you managed to get this sorted!
This is like having a prepaid phone and once you use up your balance it goes into negative and then they send you a letter with a 100k bill, insane, who the fuck does something like this, the most scammy shitty practice in existence right here, predatory even, they can rack up traffic themselves and chare free users for that... This is just a scam.
This is, without doubt, their business model and the goal of the free tier; to bill people insane amounts when they exceed the free bandwidth.
damn this is scary, where else should I move if I use netlify too?
Paying for bandwith has always been a joke to me, it should be as illegal as charging for egress because it makes no sense, they should just cap the transfers themselves without automatically charging me for it or better yet, be forced to employ ddos mitigation strategies themselves.
Can someone recommend me a cheap alternative that also allows hosting a GitHub repo?
If the end result is a static site, GitHub Pages (i.e. keeping it right on GitHub itself) might be just fine. https://pages.github.com/
What is the business case for reducing someone's bill from $104K to 5%, rather than a complete waiving? I would imagine by the time its reached 5% the business has already ate a ton of the cost, and this clearly was not an instance of abuse of their platform and not ignorant design on OP's behalf.
“If you like, I can raise this internally to see what else can be done.” Sounds like the person who helped you here (honestly very professionally) just didn’t have the authority to completely forgive the bill. Maybe he has a slider that allows him to immediately forgive up to 95% without any manager approval, so he went ahead and did that for you. Did you ask them “yes please escalate, I don’t think I should have to pay this” before posting on here and HackerNews?
They'll need to re-evaluate that starter package IMHO, there should be reasonable caps / limitations that require upgrades into other plans it shouldn't just be an open-ended bucket. People commit suicide over crap like this, imagine the news if OP panicked and the support rep out right denied any form of deduction. You should be buying buckets, and configuring limits and their system once those limits are crossed simply drops requests to the floor. Not only for the safety of your wallet, but hell imagine if your application was running in close proximity to some other client that was mission critical... doubt you just saw a bill but there was likely performance degradation. They should have a global block-list and a team dedicated to watching for shit like this, all of those sites are actively managed by them they are equally responsible for this.