NEW: Real-Time Usage Tracking for AI Agents — track Claude Code, Kimi, Codex & more. Try it free →

CostGoat Logo

CostGoat

Cloud · Netlify · February 27, 2024

$104,500 — a DDoS on one sound file ran a free static site to a $104K bill

Vendor

Netlify

Service

Netlify bandwidth (free tier)

Amount

$104,500 (reported)

Timeframe

190TB in 4 days

Cause

DDoS traffic spike

Outcome

Waived

Who's exposed: Anyone treating a host's included bandwidth as a hard cap. Free tiers meter overages with no spend limit, and a flood aimed at one large file can run it up in days.

Resolution: After the post reached Hacker News, Netlify's CEO replied publicly and support reached out to waive the full bill. Netlify said its policy is to forgive charges from honest mistakes rather than shut down free sites during non-attack spikes.

Self-reported with billing screenshots; Netlify's CEO responded publicly and the story was widely covered. r/webdev (by u/liubanghoudai24)

What happened

A developer ran a small Cantonese-language static site, jyutping.org, on Netlify's free tier for four years. It averaged around 200 visitors a day and never used more than about 10GB of bandwidth a month. One weekend an email arrived saying $104,500 was overdue. The dashboard showed 190TB of bandwidth in four days, with one day peaking above 60TB. A distributed attack had hammered a 3.44MB MP3 file hosted on the site. Netlify bills $55 per 100GB over the free allotment, so the traffic converted straight into a six-figure charge. There was no spend cap and no alert, and the only email was a receipt for the extra bandwidth package. Support first offered to reduce the bill to 5 percent, about $5,000, as a courtesy.

Root cause

Netlify's free tier includes bandwidth but does not cap spend. Once traffic passes the allotment, overage bills at $55 per 100GB with no ceiling and, here, no proactive alert. A static host has no application layer to rate-limit an attacker, so a flood aimed at one large asset turns directly into bandwidth cost. The included quota looked like a hard limit but was really just the point where metered billing began.

How to avoid it

Serve large media from object storage or a CDN with its own limits, not your host's bandwidth. A few-megabyte file behind a metered host is a cheap target; the same file on a rate-limited CDN is not.

Put the site behind a proxy that offers free DDoS protection, such as Cloudflare. It absorbs the flood before it ever counts as billable egress.

Treat an included quota as a billing threshold, not a spending cap, and set a budget alert. Overage on many free tiers has no ceiling, so the only real limit is the one you add.

CostGoat watches your Netlify bills, so a surprise like this reaches you as an alert, not an invoice.

More Bill Shock stories

June 7, 2024

$96,000/wk — artists fled Meta's AI policies to Cara, and its serverless bill scaled as fast as its users

April 30, 2025

$9,700 — a chatty microservice through one NAT gateway cost $9.7K in a month

January 15, 2025

$450,000 — a compromised key ran up 19 billion translations on Google Cloud

November 3, 2023

$121,000 — a buggy auto-translate function called a paid API six billion times in two days

← All Bill Shock stories

AI Pricing

Gemini API PricingClaude API PricingGoogle Veo PricingAI Cost CalculatorsReplicate API PricingOpenRouter API PricingOpenRouter Free Models
DownloadsPricingDashboardContactIssuesAffiliatesTermsPrivacy

© 2026 CostGoat. All rights reserved.

Made by Functioncraft: Redis GUI Client · SSH GUI Client

Affiliate disclosure: Some links earn CostGoat a commission or credit when you sign up — no extra cost to you.