It’s very nice of you to follow up on the issue and it’s much appreciated.
However it’s worth noting that to continue calling these abuse reports “false positives” is not going to help. Is Hetzner more sensitive to the issue? Yes. Is it false? No.
So far the 1AEO team have blamed Hetzner, accused them of having insecure practices that are dangerous to TOR, asked the rest of us to appeal to Hetzner to stop their practice, etc… The one thing they haven’t done is to address the fundamental issue which is basically something they’re doing to cause this.
We need to ask the right questions if we are trying to troubleshoot a problem and until we do, we’re wasting our time. Right questions such as: Why out of over 9000 relays, only 1AEO cause these abuse reports? Until they are willing to admit the problem lies on their setup instead of blaming everyone else, this problem remains.
I just got another abuse report around the new Years Eve Eastern time and had to deal with it, just like I had to deal with abuse reports on Christmas and the only thing coming from the 1AEO team is silence.
One of the fundamental problems I noticed is with their BGP setup. When their server went down, this is what I got in a trceroute:
traceroute 64.65.1.2
traceroute to 64.65.1.2 (64.65.1.2), 30 hops max, 60 byte packets
2 static.129.67.109.65.clients.your-server.de (65.109.67.129) 0.599 ms 0.643 ms 0.741 ms
3 core32.hel1.hetzner.com (213.239.252.181) 0.544 ms 0.484 ms core31.hel1.hetzner.com (213.239.252.177) 0.814 ms
4 core9.fra.hetzner.com (213.239.224.170) 20.228 ms 20.133 ms 20.180 ms
5 core0.fra.hetzner.com (213.239.252.17) 20.321 ms core4.fra.hetzner.com (213.239.224.177) 20.560 ms core1.fra.hetzner.com (213.239.245.125) 20.385 ms
6 core12.nbg1.hetzner.com (213.239.245.246) 23.726 ms core11.nbg1.hetzner.com (213.239.224.233) 25.419 ms 25.358 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
There are no routes to their server. You don’t get IP unreachable, This literally has the same effect as scanning the whole non routable 10.1.1.1/24 block and you’re flagged. Their upstream did not provide BGP routes to Europe when it took over, if it ever took over.
Again, they have access to their setup and they should troubleshoot the problem and fix it, not Hetzner and not me every time I have to fill out a form to prevent my IPs from getting blocked. Hetzner’s concerns are valid, the fundamental problem on 1AEO side is not. Just because Hetzner is more sensitive to the issue doesn’t mean the problem is imaginary.
So unfortunately I’m forced to block outgoing packets to their servers from my own relays to protect myself and I continue to do so until they openly admit the problems exist and publicly tell us the problem is fixed. I’m willing to limit my blocking only to the servers that cause this and let others pass, but unfortunately since there’s no transparency on 1AEO’s part and they haven’t pinpointed the problem. I’ll have to go with a wider ban.
Cheers.
···
On 12/30/2025 9:35 AM, tor_appliedprivacy.net via tor-relays wrote:
Hi,
we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root.
We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic.
best regards,
tor@appliedprivacy.net
tor-relays mailing list – tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
