It’s worth noting that these abuse reports are not a Hetzner issue. They, just like all major operators have a legitimate reason to keep monitoring their network. This is also not just about all Tor operators. These abuse reports are issued as a result of the operation of a single Tor operator.
All the abuse reports I receive (and frequently) are for 64.65.62.0/24 and less frequently from 64.65.1.0/24 and 96.9.98.0/24 all of which are served and operated by a single Tor operator.
If out of over 9400 Tor relays in operation, only the ones operated by a single operator cause these reports, it is safe to assume it’s not necessarily Tor related but operator related. There are major operators operating great number of IP addresses and I can safely say I have never received an abuse report regarding any of those.
My guess is that each of these blocks of IPs are served on a single server. Each time the server is rebooted the network loses a whole block of Tor relays – and not so gracefully – and due to the number of those servers, Each operator that’s connected to those IP addresses keep sending packets to port 443 (Or Port) in an attempt to discover what happened and try to reconnect. Those multiple attempts on the whole block of IP addresses justifiably are flagged as port scans of a whole block. Perhaps shutting down each relay individually and gracefully before a reboot could allow the network to adjust to the loss gradually?
The most recent abuse report I received was for 64.65.62.0/24 about 3 days ago and looking at those relays you can tell the server was rebooted at that time. Unfortunately because I was away and didn’t have time to respond to the report, one of my IP addresses was blocked and my relay become inoperable. It is now unblocked (took about a few minutes to get it unblocked) and all is well but this whole thing is becoming quite annoying and I can’t blame Hetzner for that and I can certainly not ask them to change their whole security practice pretending that this a Tor issue when it’s something that’s caused by a single operator.
As for how to deal with it, simply click on the retest link in the abuse report. The ticket will be closed and they’ll ask for a statement from you and you can copy and paste the same response over and over again and you’ll be fine.
Cheers
···
On 12/24/2025 6:39 PM, Diyar Ciftci via tor-relays wrote:
I got my first a few months ago and I just got my second one about an hour ago. Both times it was to the 1st amendment group IP addresses. Last time I just clicked their check button and it passed and then I gave reasoning in the next link. For some reason it doesn’t seem to be liking when I click the first link this time and keeps saying not solved. I don’t know what my best course of action is. I’ve gotten 2 reports for hetzner for a guard and 0 for netcup for an exit relay I saw in the forum post (which is to a clone of the mailing list) about temporarily blocking tor but that feels a bit deceptive so I don’t really want to go down that route. The best thing though it may be a long process as there may be a potential harm to how circuits are built negatively affecting user anonymity is for the tor program to operate in a manner so that it doesn’t look like a netscan to some sensitive providers like hetzner even though we know it isn’t a netscan anyways.
If this issue keeps coming up with hetzner I may look at not hosting a tor relay with them because I have a lot of stuff on this server like my personal website and project mirrors and such and don’t want those to be negatively affected due to a unjust IP ban by hetzner for running a tor relay.
Any advice?
Kind regards,
Diyar Ciftci
_______________________________________________
tor-relays mailing list -- [tor-relays@lists.torproject.org](mailto:tor-relays@lists.torproject.org)
To unsubscribe send an email to [tor-relays-leave@lists.torproject.org](mailto:tor-relays-leave@lists.torproject.org)
That’s understandable and stuff happens. I too live in a country that celebrates Christmas which is why I didn’t respond to the abuse report and my IP was blocked.
That being said we should avoid making unsubstantiated claims. saying:
These emails suggest Hetzner monitors flow-level data (e.g., NetFlow), which raises concerns about potential exposure of >Tor traffic characteristics.
sounds funny. Any Network admin worth their salt managing a large network will know they should protect the network from port scanners otherwise any schmuck can rent a VPS and start port scanning other networks, so based on your claim all competent network admins should be a danger to Tor Network.
As for your other claim, I decided to do a relay search. Out of over 9400 Tor relays 407 of them are operated out of Hetzner (As24940). You as a single Tor operator control around 750 relays give or take. Which one would you say is a bigger security risk?
The internet and Tor operate with an understanding any relay at any point in time can be unreachable.
Thousands of hosting providers for Tor relays and only Hetzner sends false abuse reports.
3 days ago the datacenter had an emergency maintenance power event, the day before Christmas in a country that celebrates Christmas, and took all the servers in their rack offline with no notice.
We had the opportunity to spend hours on Christmas day getting the server back online because, as it turns out, the technician accidentally “bumped” the NIC and disconnected our server as well, all while handling their original emergency maintenance power event.
For past events, we’ve seen upstream switches go offline dropping BGP routes and Ubuntu 24.04 default installs with only Tor running suddenly crash.
On Sunday, December 28th, 2025 at 10:30 PM, Chris Enkidu-6 via tor-relays tor-relays@lists.torproject.org wrote:
Hello,
It’s worth noting that these abuse reports are not a Hetzner issue. They, just like all major operators have a legitimate reason to keep monitoring their network. This is also not just about all Tor operators. These abuse reports are issued as a result of the operation of a single Tor operator.
All the abuse reports I receive (and frequently) are for 64.65.62.0/24 and less frequently from 64.65.1.0/24 and 96.9.98.0/24 all of which are served and operated by a single Tor operator.
If out of over 9400 Tor relays in operation, only the ones operated by a single operator cause these reports, it is safe to assume it’s not necessarily Tor related but operator related. There are major operators operating great number of IP addresses and I can safely say I have never received an abuse report regarding any of those.
My guess is that each of these blocks of IPs are served on a single server. Each time the server is rebooted the network loses a whole block of Tor relays – and not so gracefully – and due to the number of those servers, Each operator that’s connected to those IP addresses keep sending packets to port 443 (Or Port) in an attempt to discover what happened and try to reconnect. Those multiple attempts on the whole block of IP addresses justifiably are flagged as port scans of a whole block. Perhaps shutting down each relay individually and gracefully before a reboot could allow the network to adjust to the loss gradually?
The most recent abuse report I received was for 64.65.62.0/24 about 3 days ago and looking at those relays you can tell the server was rebooted at that time. Unfortunately because I was away and didn’t have time to respond to the report, one of my IP addresses was blocked and my relay become inoperable. It is now unblocked (took about a few minutes to get it unblocked) and all is well but this whole thing is becoming quite annoying and I can’t blame Hetzner for that and I can certainly not ask them to change their whole security practice pretending that this a Tor issue when it’s something that’s caused by a single operator.
As for how to deal with it, simply click on the retest link in the abuse report. The ticket will be closed and they’ll ask for a statement from you and you can copy and paste the same response over and over again and you’ll be fine.
Cheers
On 12/24/2025 6:39 PM, Diyar Ciftci via tor-relays wrote:
I got my first a few months ago and I just got my second one about an hour ago. Both times it was to the 1st amendment group IP addresses. Last time I just clicked their check button and it passed and then I gave reasoning in the next link. For some reason it doesn’t seem to be liking when I click the first link this time and keeps saying not solved. I don’t know what my best course of action is. I’ve gotten 2 reports for hetzner for a guard and 0 for netcup for an exit relay I saw in the forum post (which is to a clone of the mailing list) about temporarily blocking tor but that feels a bit deceptive so I don’t really want to go down that route. The best thing though it may be a long process as there may be a potential harm to how circuits are built negatively affecting user anonymity is for the tor program to operate in a manner so that it doesn’t look like a netscan to some sensitive providers like hetzner even though we know it isn’t a netscan anyways.
If this issue keeps coming up with hetzner I may look at not hosting a tor relay with them because I have a lot of stuff on this server like my personal website and project mirrors and such and don’t want those to be negatively affected due to a unjust IP ban by hetzner for running a tor relay.
Any advice?
Kind regards,
Diyar Ciftci
_______________________________________________
tor-relays mailing list -- [tor-relays@lists.torproject.org](mailto:tor-relays@lists.torproject.org)
To unsubscribe send an email to [tor-relays-leave@lists.torproject.org](mailto:tor-relays-leave@lists.torproject.org)
As for your other claim, I decided to do a relay search. Out of over
9400 Tor relays 407 of them are operated out of Hetzner (As24940). You
as a single Tor operator control around 750 relays give or take. Which
one would you say is a bigger security risk?
To be fair, a relay operator running hundreds of relays is less likely
to be a risk because they are less likely to be monitoring or exporting
traffic flows. That's not to say that monitoring traffic flows is bad,
but if someone came up to a relay operator and said "hey, send us highly
detailed traffic statistics and metadata and some money and we'll alert
you if we detect anything suspicious", the operator is more likely to
report the offer here than to sign a contract and call it good business
sense.
Ability to correlate traffic != willingness to engage in activities that
would make traffic correlation feasible.
Regards,
forest
···
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I saw in the forum post (which is to a clone of the mailing list) about temporarily blocking tor but that feels a bit deceptive so I don’t really want to go down that route. The best thing though it may be a long process as there may be a potential harm to how circuits are built negatively affecting user anonymity is for the tor program to operate in a manner so that it doesn’t look like a netscan to some sensitive providers like hetzner even though we know it isn’t a netscan anyways.