This post is about recent (from early November) problems with access to servers hosted on Hetzner from Russia. I decided to write this because there has been new information found about how it behaves by me and other people, and it might be related to Tor (or not?, but maybe still useful?). The discussion with up-to-date findings (in Russian) can be found here: Недоступность Hetzner - Russia - NTC
Preface
A lot of people on ntc.party speculated about the way the Hetzner block acts, because it seemed that it was somehow targeted and would only show itself to small portion of people and would sometimes go away and return without clear mechanism. I was trying to find at least one (of possibly many) triggers that activate said block.
When you experience that block, tcp connections to all ports cannot be established, you never get a response to a SYN packet, udp doesn’t work as well, but ICMP ping works correctly without any problems. I think this applies to all Hetzner ips (people were referring to this list of ip ranges (AS24940 Hetzner Online GmbH details - IPinfo.io), I was testing it in particular on sites like archlinux.org and kde.org which are hosted there. I have also experienced the same behavior, synchronously, with OVH hosting, in particular I was testing with socket4.lichess.org domain.
An important finding was that after blocking all outgoing connections (or pulling the wan cable out) for around 15 minutes would make the block go away until it was triggered again by something.
The trigger
After I was able to reset the block I started to try different things that might trigger it, and that included launching and connecting to Tor using Tor Browser without any bridges configured, which does not allow you to connect successfully, but that wasn’t the point. And to my surprise, it did reliably trigger Hetzner block after around 20 seconds after clicking “Connect” button.
I recorded all traffic that the Tor Browser was making with Wireshark and analyzed it later to pinpoint the exact reason it triggered the block. And what I found is that my Tor Browser would establish a tls connection to www.phpmyadmin.net, with 185.76.9.27 ip in my case.
Later after I waited 15 minutes to remove the block I launched curl to watch connections every 2 seconds to kde.org and as soon as I visited https://www.phpmyadmin.net/ in my browser - kde.org stopped responding immediately. Phpmyadmin site still continues to work after Hetzner is blocked. This behavior was confirmed by a few other people on ntc.party, but it still might vary from ISP to ISP, one person said they got the block only from visiting phpmyadmin without www.
So far I think it’s the only trigger that was pinpointed, I’m not sure if it’s specifically related to Tor, maybe it’s used as Domain Fronting by some other projects as well. I hope someone here can share ideas about how all of that is related.