On Tuesday, February 27, I was casually browsing Reddit, as I often do, when I stumbled on a slightly alarming post in the r/webdev subreddit. The post was titled "Netlify just sent me a $104K bill for a simple static site".
You can read the full post here on Reddit for the OP's story if you didn't catch it, but in short, OP's essentially unknown site got hit by a sudden onslaught of DDoS traffic, racking them up a cool $104,000 bill from Netlify!
Now according to Netlify, normally, they can detect and mitigate DDoS attacks, and the OP's case was simply an anomaly. But instead of immediately waiving the bill, they very nonchalantly suggested they'd only charge him 5% of the bill - only $5,200 - basically a steal right?? 🙄
That is, until some commenters on Reddit suggested OP post the story to Hacker News, which OP did, and then Netlify suddenly changed their tune.
After the story went viral, the CEO commented on the same Hacker News thread that the fees would be waived, and apologized that the support team didn't handle the situation better.
But a lot of damage had already been done, and many Redditors felt that Netlify's response was too little, too late. They commented that they'd lost their trust in the company, and that they had already started migrating their sites away from Netlify, and would never use them again. Others who were considering using Netlify in the future, said they'd now be looking elsewhere.
I've been a Netlify user for a few years now, and while I can't say I find their service perfect as it's missing some pretty crucial support for some things I use, it's still been a pretty good experience overall. And for someone like me (and like the OP), with just a small-time relatively unknown site generating very little traffic every month (basically nothing), their free tier has been a godsend. Or well, at least I thought it was, until I read this story.
The Concern
Ok, so what's the actual reason, assuming you didn't venture off to read OP's story, that a free-tier site was able to rack up a massive bill in a very short amount of time?
Well, I already mentioned it was related to a sudden onslaught of DDoS traffic, but the real concern here is that Netlify doesn't shut down your site when the traffic surges.
In fact, not only do they not shut down the traffic to your site, but apparently OP only received a single email from Netlify about "Extra usage package purchased"! And that was it. No warning, no nothing.
Netlify apparently has agreements in place with paid tiers, but free tiers offer no such provisions. So, if you're on the free tier, and you get hit by a DDoS attack, you're basically screwed. But don't worry, they'll give you a good discount!
Some commenters on Reddit even noted - with such a policy in place - it's almost like Netlify is encouraging DDoS attacks on free-tier sites, as they'd be the only ones who'd benefit from it.
The Aftermath
As I noted at the beginning of this post, many Redditors have already started migrating their sites away from Netlify. But to say Netlify is alone with this policy would be inaccurate.
It seems that a number of other popular hosts with free tiers also don't offer a kill-switch for traffic surges, so moving over to another host may not necessarily solve the problem.
Reading the fine print has yet again shown to be crucial, and I'm just as guilty as the others for not doing so!
After some more backlash, Netlify's CEO posted a follow-up comment on the same Hacker News thread, stating that they'd be reviewing their policies and making changes to ensure that this kind of situation doesn't happen again.
Now while that's a bit of a relief, I wonder how long it'll take for them to actually implement these changes, and if they'll be enough to win back the trust of those who've already left.
Final Thoughts
I'm not entirely sure if it's enough for me, but I guess only time will tell. As it stands, I'm still considering my options.
I'm not sure if I'll be moving my sites away from Netlify just yet, but I'm definitely going to be keeping a closer eye on my traffic and usage from now on.
I've also learned that I need to be more vigilant with the fine print of the services I use, and I hope you've learned the same from this post.
What are your thoughts on this? Are people freaking out too much over this? Have you been affected by a similar situation with Netlify or another host?
Let me know in the comments below.