Are Hetzner servers in both the guard and middle position for a lot of Tor circuits? Observations from Hetzner traffic numbers vs. own monitoring

TL;DR My findings suggest that around 15% of my Tor traffic on Hetzner servers stays within Hetzner, therefore both the guard and middle relay appear to be inside the Hetzner network for a significant amount of these circuits.

I was doing some basic maintenance on my server farm today and noticed something odd. For the Tor servers I have running at Hetzner, the traffic numbers quoted by Hetzner in their console are a good amount lower than the numbers I was seeing in my monitoring suite running on the servers directly. This was consistent across all the Tor servers I host there while a different server – not used for Tor in any way – didn’t show this behavior and the numbers matched within 1% of each other.

I read up and looked at how Hetzner measures their numbers:

  • The measured values of the traffic usage are determined by the routers only after disconnecting a TCP connection. If a TCP connection exists for several hours, the total volume of this traffic will be displayed as a peak at the time of disconnection.
  • We calculate monthly traffic only using outgoing traffic. We do not count incoming and internal traffic.

To exclude the first point from screwing with my findings, I restarted all Tor instances for one of the servers and completely rebooted a second one. The changes were minimal.

Could it therefore be that the remaining traffic stays within Hetzner and is therefore not counted by their console? That implies that quite a significant number of Tor circuits are being built with Hetzner servers in both the guard and middle position. Is that possible? If so, is this behavior known and desired? I highly doubt it!

Here are the numbers:

Things to note:

  • My monitoring solution accumulates traffic every 5 minutes and displays the totals in TiB with 2 decimal points.
  • The Hetzner Console numbers appears to update every ~30 minutes and are displayed down to the MB.
  • My Tor instances at Hetzner are a wild mix of guard and middle nodes
  • Hetzner uses multiple IP ranges, my four servers are spread across three different /16 subnets even though they are in the same physical location

Therefore, I think the numbers above need to be seen with a certain amount of variance (1-2% maybe). Still, I find ~15% internal traffic quite shocking!

Just found this regarding your topic:

I don’t know where the discussion went - maybe someone else has an idea or time to follow/untangle that old issue…