I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by
Hetzner and received an abuse report from them. Although this kinda looks
like the topic "Hetzner Netscan False Positives" that was discussed
recently[0], I have not found out who initiated the report to Hetzner and
I'm also puzzled by the distinct destination addresses. And I also thought
it might be good to report this publicly that these reports are still an
issue for relay operators.
The report is bascially:
···
-------------------
We have indications that an attack has been conducted from your server.
In the attached report I can find ~500 entries, spanning across 5 minutes,
with my address as "source" and several desination addresses that can be
grouped into three entities:
* 5 entries for UDP traffic to the Xerox Corporation, at least according
to whois. Weird, but then again: UDP, spoofable, and I did not consider
these 5 entries relevant enough to investigate further.
* 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address,
used for RFC 2544 and should not be routed anyway. Weird, that this
would show up in their abuse report.
* The remaining entries point to network addresses in a /24 network. whois
points to a RIPE assignment, and querying RIPE directly for these
addresses, they are all marked as "TOR EXIT".
So, clearly these addresses are part of the Tor network and I fail to
understand who contacted Hetzner, complaining that my relay node
contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR
EXIT" and then sending abuse reports to the hosting companies?
Does anyone have an idea what to make of this report?
The MGs ran out of gas.
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by
Hetzner and received an abuse report from them. Although this kinda looks
like the topic "Hetzner Netscan False Positives" that was discussed
recently[0], I have not found out who initiated the report to Hetzner and
I'm also puzzled by the distinct destination addresses. And I also thought
it might be good to report this publicly that these reports are still an
issue for relay operators.
The report is bascially:
-------------------
We have indications that an attack has been conducted from your server.
Netscan detected from host <my-ip-address>
This just happened again, and Hetzner forwarded another abuse report to
me. This time the "target" addresses were all part of a group called "1st
Amendment Encrypted Openness LLC" and they themselves are running Tor
infrastructure - unlikely that they contacted Hetzner about connections
from other nodes. Destination port was always 443/tcp (https).
But now I see the post "Advisory: Unauthenticated remote trigger of
Hetzner's "Netscan" detection" from invisibleprefixes on this list[0] that
explains the whole thing in detail -- thank you for posting that!
I hope Hetzner reads their emails and understands this issue. But I'm
unsure what they are supposed to do here. Can these "portscans" maybe
prevented on a technical level from the relay's end?
In the attached report I can find ~500 entries, spanning across 5 minutes,
with my address as "source" and several desination addresses that can be
grouped into three entities:
* 5 entries for UDP traffic to the Xerox Corporation, at least according
to whois. Weird, but then again: UDP, spoofable, and I did not consider
these 5 entries relevant enough to investigate further.
* 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address,
used for RFC 2544 and should not be routed anyway. Weird, that this
would show up in their abuse report.
* The remaining entries point to network addresses in a /24 network. whois
points to a RIPE assignment, and querying RIPE directly for these
addresses, they are all marked as "TOR EXIT".
So, clearly these addresses are part of the Tor network and I fail to
understand who contacted Hetzner, complaining that my relay node
contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR
EXIT" and then sending abuse reports to the hosting companies?
Does anyone have an idea what to make of this report?
The MGs ran out of gas.
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
--
BOFH excuse #42:
spaghetti cable cause packet failure
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Please don't try to solve this on your relay. Relays should be able to
reach all other relays all the time and must not interfer with the
traffic they should relay.
Best regards,
Johan
···
On Sun, Mar 15, 2026 at 04:47:13PM +0100, Christian Kujau via tor-relays wrote:
This just happened again, and Hetzner forwarded another abuse report to
me. This time the "target" addresses were all part of a group called "1st
Amendment Encrypted Openness LLC" and they themselves are running Tor
infrastructure - unlikely that they contacted Hetzner about connections
from other nodes. Destination port was always 443/tcp (https).
But now I see the post "Advisory: Unauthenticated remote trigger of
Hetzner's "Netscan" detection" from invisibleprefixes on this list[0] that
explains the whole thing in detail -- thank you for posting that!
I hope Hetzner reads their emails and understands this issue. But I'm
unsure what they are supposed to do here. Can these "portscans" maybe
prevented on a technical level from the relay's end?
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Well, I have now blocked traffic on my system to two Tor communities,
which is not great of course, but I felt like I had to show Hetzner
"something" in lieu of a real solution.
I still worry that Hetzner gets fed up with sending me these
semi-automatic abuse reports and just cancel my (very cheap) account
because it's just too much hassle for them to deal with all this.
Christian.
···
On Sun, 15 Mar 2026, Johan Nilsson via tor-relays wrote:
> I hope Hetzner reads their emails and understands this issue. But I'm
> unsure what they are supposed to do here. Can these "portscans" maybe
> prevented on a technical level from the relay's end?
>
Please don't try to solve this on your relay. Relays should be able to
reach all other relays all the time and must not interfer with the
traffic they should relay.
--
BOFH excuse #101:
Collapsed Backbone
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Well, I have now blocked traffic on my system to two Tor communities,
which is not great of course, but I felt like I had to show Hetzner
"something" in lieu of a real solution.
I see no need for any action on your part, let alone for meddling with
Tor traffic, to appease Hetzner. For more than a year (and counting) I
have responded to each of these "abuse" reports by stating in the
feedback form that this is routine Tor traffic, not abuse. This was
accepted by Hetzner every time.
Note that I set up a small local workflow which verifies that the
reported IP adresses really match known Tor nodes. After all, I want to
be certain that no actual abuse happens. Also, Hetzner is not trying to
be obnoxious, they only aim to protect their reputation.
-Ralph
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Tor traffic, to appease Hetzner. For more than a year (and counting) I
have responded to each of these "abuse" reports by stating in the
feedback form that this is routine Tor traffic, not abuse. This was
accepted by Hetzner every time.
OK, thanks for sharing that. This gives me hope that I might get the same
reaction from Hetzner too.
be certain that no actual abuse happens. Also, Hetzner is not trying to
be obnoxious, they only aim to protect their reputation.
Yes, of course, and I wasn't suggesting that Hetzner was being obnoxious.
But while their reports may be sent out automatically, maybe a human being
will need to read and acknowledge all the statements that users then sent
back. But yeah, maybe I worry too much and I think I'll remove these
netblocks again on my end.
Thanks,
Christian.
···
On Thu, 19 Mar 2026, Ralph Seichter via tor-relays wrote:
--
BOFH excuse #453:
Spider infestation in warm case parts
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I wasn't suggesting that Hetzner was being obnoxious.
No, and I did not mean to imply that you did. I added this part to
clarify why I choose to cooperate with Hetzner in regards to the
recurring false positive reports. The automated reports are certainly
annoying, but I file it under "shit happens".
maybe a human being will need to read and acknowledge all the
statements that users then sent back.
Yup, that's probably the case. That can't be fun. Staff members will
hopefully realise that certain types of customer statements appear
similar in nature. Hetzner surely knows about the Tor situation, many
nodes are hosted on their infrastructure.
maybe I worry too much and I think I'll remove these netblocks again
on my end.
Seems like a good idea to me. Avoiding what is called "vorauseilender
Gehorsam" is important, as is not being easily intimidated when running
Tor relays.
-Ralph
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org