Cloud · Netlify · February 27, 2024
$104,500 — a DDoS on one sound file ran a free static site to a $104K bill
Vendor
Netlify
Service
Netlify bandwidth (free tier)
Amount
$104,500 (reported)
Timeframe
190TB in 4 days
Cause
DDoS traffic spike
Outcome
Waived
Who's exposed: Anyone treating a host's included bandwidth as a hard cap. Free tiers meter overages with no spend limit, and a flood aimed at one large file can run it up in days.
Resolution: After the post reached Hacker News, Netlify's CEO replied publicly and support reached out to waive the full bill. Netlify said its policy is to forgive charges from honest mistakes rather than shut down free sites during non-attack spikes.
Self-reported with billing screenshots; Netlify's CEO responded publicly and the story was widely covered. r/webdev (by u/liubanghoudai24)
What happened
A developer ran a small Cantonese-language static site, jyutping.org, on Netlify's free tier for four years. It averaged around 200 visitors a day and never used more than about 10GB of bandwidth a month. One weekend an email arrived saying $104,500 was overdue. The dashboard showed 190TB of bandwidth in four days, with one day peaking above 60TB. A distributed attack had hammered a 3.44MB MP3 file hosted on the site. Netlify bills $55 per 100GB over the free allotment, so the traffic converted straight into a six-figure charge. There was no spend cap and no alert, and the only email was a receipt for the extra bandwidth package. Support first offered to reduce the bill to 5 percent, about $5,000, as a courtesy.
Root cause
Netlify's free tier includes bandwidth but does not cap spend. Once traffic passes the allotment, overage bills at $55 per 100GB with no ceiling and, here, no proactive alert. A static host has no application layer to rate-limit an attacker, so a flood aimed at one large asset turns directly into bandwidth cost. The included quota looked like a hard limit but was really just the point where metered billing began.
How to avoid it
•
Serve large media from object storage or a CDN with its own limits, not your host's bandwidth. A few-megabyte file behind a metered host is a cheap target; the same file on a rate-limited CDN is not.
•
Put the site behind a proxy that offers free DDoS protection, such as Cloudflare. It absorbs the flood before it ever counts as billable egress.
•
Treat an included quota as a billing threshold, not a spending cap, and set a budget alert. Overage on many free tiers has no ceiling, so the only real limit is the one you add.
CostGoat watches your Netlify bills, so a surprise like this reaches you as an alert, not an invoice.
More Bill Shock stories
June 7, 2024
$96,000/wk — artists fled Meta's AI policies to Cara, and its serverless bill scaled as fast as its users
April 30, 2025
$9,700 — a chatty microservice through one NAT gateway cost $9.7K in a month
January 15, 2025
$450,000 — a compromised key ran up 19 billion translations on Google Cloud
November 3, 2023
