69 comments

[ 2.8 ms ] story [ 64.7 ms ] thread
After a quick check on Vercel stories, it seems all payments were discarded or mistakes in the first place.

Does it really happen to really have to pay such a bill? Do you need to tweet about it to be reimbursed?

I thought this would be about the horrors of hosting/developing/debugging on “Serverless” but it’s about pricing over-runs. I scrolled aimlessly through the site ignoring most posts (bandwidth usage bills aren’t super interesting) but I did see this one:

https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-c...

About how you make unauth’d API calls to an s3 bucket you don’t own to run up the costs. That was a new one for me.

> I reported my findings to the maintainers of the vulnerable open-source tool. They quickly fixed the default configuration, although they can’t fix the existing deployments.

Anyone wanna guess which open source tool this was? I'm curious to know why they never detected this themselves. I'd like to avoid this software if possible as the developers seem very incompetent.

This site is a bit dated. I remember in response to this Vercel added a way to pause your projects when hitting a spend limit. I enabled it for my account.

Still, it made me question why I'm not using a VPS.

> I had cloudflare in front of my stuff. Hacker found an uncached object and hit it 100M+ times. I stopped that and then they found my origin bucket and hit that directly.

Pardon my ignorance, but isn’t that something that can happen to anyone? Uncached objects are not something as serious as leaving port 22 open with a weak password (or is it?). Also, aren’t S3 resources (like images) public so that anyone can hit them any times they want?

"Serverless" is a an Orwellian name for a server-based system!
It's just the tech-bro version of "shared hosting", now with a 10000% markup and per-request billing.
Maintaining your own containers or VMs is hard considering how much risk appetite you have for the issues at infra level. So, yeah, when you complain about the costs of serverless, you are just paying for your low risk appetite low cost of your IT management.
Yeah I also left my website hosted on Google Cloud because costs popped from everywhere, and there is basically no built-in functionality to limit them. So I didn't really slept relaxed (I actually slept great, but I hope you get the point) knowing that a bug could cost me... who knows how much. Actually, as the website of OP says, for spending control you have budget notifications and with that you can disable the billing for all the project altogether through some API call or something, I don't remember exactly, that is all there is. But still it looks like this functionality is just not there.
Are there any protections these days at the cloud provider level?

Like setting a maximum budget for a certain service (EC2, Aurora?) because downtime is preferable to this?

Putting any sort of pay per use product onto the open internet has always struck me as insane. Especially with scaling enabled.

At least stick a rate limited product in front of it to control the bleed. (And check whether the rate limit product is in itself pay per use...GCP looking at you)

(comment deleted)
It would help to round to the cent. With 3 digits to the right of the dot it's ambiguous whether it's a decimal point or a thousands separator, and the font and underline makes the comma vs dot distinction a bit unclear.
Don’t most of these services have config options to protect against doing this? I haven’t used most of these services but it running up a bill during traffic spikes but not going down seems like it’s working as intended?
At one time, I considered using Firebase as a backend, but then, I kept reading stories like these, and decided to roll my own. I'm fortunate to be able to do that.

It's kind of amazing, though. I keep getting pressure from the non-techs in my organization to "Migrate to the Cloud." When I ask "Why?" -crickets.

Industry jargon has a lot of power. Seems to suck the juice right out of people's brains (and the money right out of their wallets).

When I was learning to program through a bootcamp I spun up an elastic beanstalk instance that was free but required a credit card to prove your identity. No problem that makes sense - it's an easy way to prove authentication as a bot can't spam a credit card (or else it would be financial fraud and most likely a felony).

Amazon then charged me one hundred thousand dollars as the server was hit by bot spam. I had them refund the bill (as in how am I going to pay it?) but to this day I've hated Amazon with a passion and if I ever had to use cloud computing I'd use anyone else for that very reason. The entire service with it's horrifically complicated click through dashboard (but you can get a certification! It's so complicated they invented a fake degree for it!) just to confuse the customer into losing money.

I still blame them for missing an opportunity to be good corporate citizens and fight bot spam by using credit cards as auth. But if I go to the grocery store I can use a credit card to swipe, insert, chip or palm read (this is now in fact a thing) to buy a cookie. As opposed to using financial technology for anything useful.

> required a credit card to prove your identity

Given the relative accessibility of stolen credit card info, isn't the CC-as-ID requirement easy for a criminal to bypass?

Since this seems to be getting some comments. Yes, it is in fact easy to shut down an instance if it goes over a spending limit. As in you monitor traffic tied directly to the billing system and you set up an if statement and if it goes over the limit you shut down the server and dump the service to a static drive.

It's the easiest thing in the world - they just don't want to because they figured that they could use their scale to screw over their customers. And now you have the same guys who screwed everyone over with cloud compute wanting you to pay for AI by using their monopoly position to charge you economic rents. Because now things like edge compute is easy because everyone overspent on hard drives because of crypto. And so you have jerks who just move on to the next thing to use their power to abuse the market rather than build credibility because the market incentivizes building bubbles and bad behavior.

Smart evil people who tell others "no you're just too dumb to 'get it' (oh by the way give me more money before this market collapses)" are the absolute bane of the industry.

It's weird that you have people in here defending the practice as if it's a difficult thing to do. Taxi cabs somehow manage not to charge you thousands of dollars for places you don't drive to but you can't set up an if statement on a server? So you're saying Amazon is run by people that are dumber than a taxi cab company?

Ok, well you might have a point. And this is how Waymo was started. I may or may not be kidding.

Did you do any training before launching the elastic beanstalk instance, or you just though a F-16 should be pretty easy to fly, at least according to most pilots?
Do you often find F16s that are (advertised as) free, and you get them with a click of 3 buttons?
Do you agree that if they would, they would still be an F-16 ?
Not that Amazon needs any defending, but for anyone running a bootcamp: this is a good reason to start with services like Heroku. They make this type of mistake much harder to make. They're very beginner friendly compared to raw AWS.
> When I was learning to program through a bootcamp I spun up an elastic beanstalk instance that was free but required a credit card to prove your identity. No problem that makes sense

It does on the surface, but what doesn't make sense is to register with a credit card and not read the terms very carefully: both for the cloud service and for the bank service.

In this aspect cash is so much better because you have only one contract to worry about...

I've had this twice. Once with oracle, once with azure. They both charged me $2000-$5000 for simply opening and closing a database instance (used only for a single day to test a friend's open source project)

To be fair, support was excellent both times and they waived the bills after I explained the situation.

The real serverless horror isn't the occasional mistake that leads to a single huge bill, it's the monthly creep. It's so easy to spin up a resource and leave it running. It's just a few bucks, right?

I worked for a small venture-funded "cloud-first" company and our AWS bill was a sawtooth waveform. Every month the bill would creep up by a thousand bucks or so, until it hit $20k at which point the COO would notice and then it would be all hands on deck until we got the bill under $10k or so. Rinse and repeat but over a few years I'm sure we wasted more money than many of the examples on serverlesshorrors.com, just a few $k at a time instead of one lump.

looking forward to the "LLM token horrors" version
There should also be a general category for "cloud horrors" for things that cost $50k/month to host that would be $1500/month on a bare metal provider like Datapacket or Hetzner.

I'm old enough to remember when cloud was pitched as a big cost saving move. I knew it was bullshit then. Told you so.

This is why when I contract for an early stage startup, I pose the question:

"What if your app went viral and you woke to a $20k cloud bill? $50k? $80k?"

If the answer is anything less than "Hell yeah, we'll throw it on a credit card and hit up investors with a growth chart" then I suggest a basic vps setup with a fixed cost that simply stops responding instead.

There is such a thing as getting killed by success and while it's possible to negotiate with AWS or Google to reduce a surprise bill, there's no guarantee and it's a lot to throw on a startup's already overwhelming plate.

The cloud made scaling easier in ways, but a simple vps is so wildly overpowered compared to 15 years ago, a lot of startups can go far with a handful of digitalocean droplets.

Couple years ago I was charged in USD 4K on Google Cloud after trying recursive cloud functions.

I told them that was a mistake and they forgot the debit, they just asked to no do again.

I have a feeling I will be downvoted for this, but...

Have the people posting these horror stories never heard of billing alerts?

We are building bare metal for our workloads… I don’t care if cloud is supposed to be cheaper because it never is. You can get a decent small business firewall to handle 10gbit fiber for $600 from unifi these days. Just another reason I’m glad I moved out of the Bay Area and nyc to a midwestern town for my company. I have a basement and can do rad things in my house to grow my business.
last employer asked for an estimate to migrate to cloud.

it would be 2x more expensive and halve developer speed. also we would lose some internal metric systems honed over 20yr.

ceo told to go ahead anyway (turn out company was being sold to Apollo)

first thing we did was a way to bootstrap accounts into aws so we could have spend limits from day one.

can't imagine how companies miss that step.

Hetzner, 16TBx2 HDD, 1TBx2 SDD, 64GB RAM, 20TB free bandwidth, $70/month.

I used 1TB of traffic on a micro instance and it cost me $150 (iirc). Doesn't have to be this way.

I guess I'm missing something, why is this 'serverless' horrors? If anything it seems to specifically be serverful horrors.