[tor-relays] Hetzner abuse reports

-------------------
We have indications that an attack has been conducted from your server.

       Netscan detected from host <my-ip-address>

TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT
--------------------------------------------------------------------
2026-02-28 11:14:23 xxx 48905 -> xxx.xx.116.12 443 74 TCP
2026-02-28 11:14:24 xxx 48905 -> xxx.xx.116.13 9004 74 TCP
2026-02-28 11:14:12 xxx 23292 -> xxx.xx.116.32 9002 74 TCP
[...]
-------------------

In the attached report I can find ~500 entries, spanning across 5 minutes,
with my address as "source" and several desination addresses that can be
grouped into three entities:

* 5 entries for UDP traffic to the Xerox Corporation, at least according
  to whois. Weird, but then again: UDP, spoofable, and I did not consider
  these 5 entries relevant enough to investigate further.

* 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address,
  used for RFC 2544 and should not be routed anyway. Weird, that this
  would show up in their abuse report.

* The remaining entries point to network addresses in a /24 network. whois
  points to a RIPE assignment, and querying RIPE directly for these
  addresses, they are all marked as "TOR EXIT".

So, clearly these addresses are part of the Tor network and I fail to
understand who contacted Hetzner, complaining that my relay node
contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR
EXIT" and then sending abuse reports to the hosting companies?

Does anyone have an idea what to make of this report?

Thanks,
Christian.

[0] Hetzner Netscan False Positives - tor-relays - lists.torproject.org

--
BOFH excuse #217:

The MGs ran out of gas.
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org