I have just received this message too. Any advice would be helpful.
Mick
···
On 19 December 2025 00:46:28 GMT, krishna e bera via tor-relays <tor-relays@lists.torproject.org> wrote:
Hi all,
Just got the below notice from researchers.
Is the stated vulnerability an actively exploited problem or is this a DoS attack by scaremongering?
This topic seems to have been covered in https://nusenu.medium.com/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
but i am not sure how to apply it to my situation.
I have turned off the Guard capability for now.
Doubtful i can influence the service provider to get them to publish a new ROA.
Is there another mitigation?
Regrets to all who were using the service
-------- Forwarded Message --------
Subject: Potential vulnerability found in your Tor Relay
Date: Thu, 18 Dec 2025 23:57:20 +0000
From: ENGR - SIDRHello,
We are writing to alert you that your Tor relay(s) (Pasquino3) is/are vulnerable to active BGP attacks that could be used to de-anonymize users. The best mitigation to help protect your relay is to have your service provider publish a ROA for prefix(es) 209.44.96.0/19 at AS(es) 10929 with a maxLength(s) of 19.
We are researchers from the University of Connecticut reaching out to inform you that your Tor guard relay with IP address(es) 209.44.114.178 (Pasquino3) is/are currently covered by a Route Origin Authorization (ROA) which has an improperly configured maxLength attribute. This makes it vulnerable to BGP subprefix origin hijacks, where a malicious autonomous-system-level attacker may announce a subprefix of 209.44.96.0/19 and misdirect traffic destined with a high (>99%) rate of success. Guidance on how to correctly set the maxLength attribute is contained in RFC 9319 - The Use of maxLength in the Resource Public Key Infrastructure (RPKI).
We determined this vulnerability using public data sets including relay information from the Tor consensus, the RIPEStat data for IP prefix, and ROA coverage information. Feel free to contact us if you have further questions.
For further information on ROAs, see BGP Origin Validation — RIPE Network Coordination Centre
If you are not a Tor relay operator and this message reached you in error, please let us know.
Thank you,
UConn Secure Interdomain Routing Group
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
--
Sent from a mobile device. Please excuse my brevity.
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org