- tor-relays - lists.torproject.org

Hetzner abuse reports
by Christian Kujau 15 Mar '26

15 Mar '26

Greetings, I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by Hetzner and received an abuse report from them. Although this kinda looks like the topic "Hetzner Netscan False Positives" that was discussed recently[0], I have not found out who initiated the report to Hetzner and I'm also puzzled by the distinct destination addresses. And I also thought it might be good to report this publicly that these reports are still an issue for relay operators. The report is bascially: ------------------- We have indications that an attack has been conducted from your server. Netscan detected from host <my-ip-address> TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT -------------------------------------------------------------------- 2026-02-28 11:14:23 xxx 48905 -> xxx.xx.116.12 443 74 TCP 2026-02-28 11:14:24 xxx 48905 -> xxx.xx.116.13 9004 74 TCP 2026-02-28 11:14:12 xxx 23292 -> xxx.xx.116.32 9002 74 TCP [...] ------------------- In the attached report I can find ~500 entries, spanning across 5 minutes, with my address as "source" and several desination addresses that can be grouped into three entities: * 5 entries for UDP traffic to the Xerox Corporation, at least according to whois. Weird, but then again: UDP, spoofable, and I did not consider these 5 entries relevant enough to investigate further. * 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address, used for RFC 2544 and should not be routed anyway. Weird, that this would show up in their abuse report. * The remaining entries point to network addresses in a /24 network. whois points to a RIPE assignment, and querying RIPE directly for these addresses, they are all marked as "TOR EXIT". So, clearly these addresses are part of the Tor network and I fail to understand who contacted Hetzner, complaining that my relay node contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR EXIT" and then sending abuse reports to the hosting companies? Does anyone have an idea what to make of this report? Thanks, Christian. [0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torp… -- BOFH excuse #217: The MGs ran out of gas.

2 2

Relay fingerprint transfer
by Keifer Bly 15 Mar '26

15 Mar '26

Hey, So for the relay with the fingerprint 79E3B585803DE805CCBC00C1EF36B1E74372861D <https://metrics.torproject.org/rs.html#details/79E3B585803DE805CCBC00C1EF36…> OVH deleted the vps due to an error. I will need to start a new relay, but is it possible to configure with the original fingerprint as I have it written here? Thanks. --Keifer

7 8

Relays on NixOS
by Clara Engler 14 Mar '26

14 Mar '26

Hey, I wanted to ask whether there any relay operators that also run relays on NixOS. What is your setup? Do you use the package/module from nixpkgs? How do you run multiple relays? Do you override the nixpkgs? ... I am currently thinking on collecting some resources regarding that, any feedback/knowledge here would be very appreciated. :-) Thank You Cλara

4 3

relayor v26.0.0 is released: Happy Family design deployed by default
by nusenu 07 Mar '26

07 Mar '26

Hi, relayor v26.0.0 is released. https://github.com/nusenu/ansible-relayor/releases/tag/v26.0.0 relayor is an ansible role that helps you with running tor relays with minimal effort (automate everything). https://github.com/nusenu/ansible-relayor#main-benefits-for-a-tor-relay-ope… Changes in this release: * enable Happy Family by default (remove variable `tor_happy_family`) * MyFamily support remains enabled by default as well but will be removed in future relayor releases * drop support for tor version 0.4.8.x and require tor version 0.4.9.x or newer Ensure to upgrade your tor version to 0.4.9.x on your relays and control machine before running this relayor version for the first time. tor version 0.4.9.x packages are available for all relayor supported operating systems (Debian, Ubuntu, FreeBSD). kind regards, nusenu -- https://nusenu.github.io

1 0

Happy Family Roadmap for ansible-relayor/CIISS/OrNetStats
by nusenu 05 Mar '26

05 Mar '26

Hi, since David mentiond that there will be the first tor 0.4.9 stable release this week and ahf also mentioned [1] ansible-relayor in the context of the MyFamily successor Happy Family I want to give you a short roadmap in the context of relayor/CIISS/OrNetStats: * first stable tor 0.4.9.x release (likely in the coming days) * after tor 0.4.9 reaches deb.torproject.org and FreeBSD packages: * ansible-relayor will require tor version >= 0.4.9 and enable Happy Family by default in addition to MyFamily * after the first tor browser release with tor 0.4.9 for all platforms: * MyFamily support will be removed from ansible-relayor * CIISS version 3 is released: MyFamily is replaced with the Happy Family system * operators will have to update their proofs * we wait for happy family support in onionoo [2] * OrNetStats will implement and verify proofs according to CIISS version 3 [1] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torp… [2] https://gitlab.torproject.org/tpo/network-health/metrics/onionoo/-/issues/4… kind regards, nusenu -- https://nusenu.github.io

2 2

Relay operators meetup in France
by Jolie Fleure 04 Mar '26

04 Mar '26

Dear relay operators, Interhack, a network of french-speaking hackerspaces organises a gathering from 2 to 5 July, in Sévérac (Loire Atlantique) in France https://2026.camp.interhacker.space/ Tor-related discussions typically occur at Interhack/hackerspaces events. Following the call for more distributed relay operator meetups, we are thinking of taking the opportunity of this event to propose one there. That would be a rather small meeting, considering the limited size of the event itself and the quite remote location. Also we are very small scale relay operators (currently we operate one relay and a bunch of bridges). Nontheless, we would be very happy to meet other relay operators and push more tor discussions in our hackerspaces. What do you think of this? Is there a more official way of announcing a relay operator meetup than sending email on this list? Are there guidelines for how such meetings should/could be conducted?

2 1

Post-Quantum Cryptography in Tor's TLS Layer: Help needed!
by Alexander Hansen Færøy 02 Mar '26

02 Mar '26

Hello Tor Relay Operators, With the arrival of OpenSSL 3.5.0 in 2025, we finally had an important missing piece of infrastructure to start enabling the Tor network to support Post-Quantum Cryptography in the outermost cryptographic layer of the Tor protocol. Since Tor version 0.4.8.17, we have supported the x25519/ML-KEM-768 hybrid handshake in our TLS layer, and we have gradually seen more relays supporting it in the production network. Tor Browser has been built against OpenSSL >= 3.5.0 since (at least) version 13.5.22, released in September 2025, and therefore supports Post-Quantum TLS handshakes today, but it requires that its guard node supports it. We need to give a big shout-out to the OpenSSL Team here to get this out and available to the masses! <3 Since Q3 2025, I've been running some semi-regular scans of the Tor production network to check for TLS cipher suite availability. This work started as part of the first Tor Community Gathering back in October, 2025[1]. The results are as follows: In January, around 28% of the Tor relays supported the Post-Quantum TLS handshake. The scan I did yesterday showed an increase of around 4 percentage points to 32.32%. Out of 9476 scanned relays, 9185 were reachable, 291 were unreachable. Of the 9185 reachable relays, I saw the following distribution of cipher suites: `TLS13_AES_256_GCM_SHA384`: 9023 relays. `TLS13_CHACHA20_POLY1305_SHA256`: 158 relays. `TLS13_AES_128_GCM_SHA256`: 4 relays. For the key exchange groups, I saw the following distribution: `secp256r1`: 6212 relays. `X25519MLKEM768`: 2969 relays. `X25519`: 4 relays. Of the Directory Authorities, 5 of them supported the `X25519MLKEM768` key exchange group during the TLS handshakes. 2969 / 9185 * 100 = 32.32% of relays support the `X25519MLKEM768` cipher suite. This number is a good start, but we should ideally bump it up! You can see the individual results for your relay(s) in the big table available at https://ahf.me/tor-tls-pqc/2026-02-26/ -- entries without a cipher suite or key exchange group were unreachable at the time I ran the scan. These missing entries can be due to a network problem anywhere on the path between my host and yours, so don't get worried if your relay is missing :-) The scanner I used is free software and is available as part of the Network Health Team's Margot tool[2], used for various analysis purposes. Please note that the goal here isn't to enumerate all available cipher suites for each relay, but instead I'm interested in the "strongest" possible cipher suite my custom client can negotiate with each relay. My ask for you as the relay operator community here is as follows: Next time you folks are doing maintenance on your relay(s), please have a look at whether you can upgrade either your packages or underlying software distribution to a version such that you either get a new enough version of OpenSSL (>= 3.5.0), or if you are a LibreSSL user, check whether the LibreSSL project supports the ML-KEM hybrid handshake, and upgrade to that version. It looks like the LibreSSL project is currently working towards supporting the ML-KEM handshake in the next upcoming release[3]. For Debian users, to get a new enough OpenSSL version that supports the PQC TLS handshake, you need to upgrade to (at least) Debian Trixie. For everybody else, it's best to check your respective software distribution's package management system to find the version you need to upgrade to. For Arti users, a licensing issue with the currently available crypto providers in Arti prevented enabling the ML-KEM handshake. Nick, however, has recently been making progress on this matter and has a patch up that is now pending upstream review[4]! :-) If you are excited about exploring different aspects of the Tor ecosystem, talking with other Tor enthusiasts, and you have nothing planned for your weekend in two weeks, I highly encourage you to look into the next Tor Community Gathering in Denmark. The event takes place from 2026-03-13 to 2026-03-15. For more information, check out our website at https://onionize.space/2026/ Thank you all for all the work you do to make Tor better! <3 Cheers, Alex [1]: https://onionize.space/2025/ [2]: https://gitlab.torproject.org/tpo/network-health/margot/ [3]: https://github.com/libressl/portable/blob/a989b7acb9a475fde656e48dbcb38289d… [4]: https://github.com/RustCrypto/rustls-rustcrypto/pull/143 -- Alexander Hansen Færøy

3 3

Advisory: Unauthenticated remote trigger of Hetzner's "Netscan" detection
by invisibleprefixes＠mailbox.org 01 Mar '26

01 Mar '26

CVSS v4.0 Score: 6 / Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Hetzner aims to detect portscans from within their network to targets outside their network, especially to destinations not visible via BGP. When their outbound scan detection triggers on a given customer IP address the customer gets an email: "Netscan detected from host ..." If the customer does not react in time, the customer's source IP is blocked from any further communication until the customer responds to the report. According to Hetzner the blocking is enforced after "manual verification" only. Vulnerability Description ========================= An unauthenticated remote attacker, who is able to trigger outbound packets from a given Hetzner customer source IP, can trigger the described portscan detection and block a Hetzner customer's Internet access if the customer does not respond to Hetzner in time. There are many services that allow the provocation of outbound packets by design, a few popular examples: * SMTP: various outbound checks performed for incoming emails (SPF, DKIM, DMARC, ...). The attacker can influence the target of outbound destinations by sending emails from domains under their control. * DNS: Recursive resolver are usually not directly exposed to the public but other servers (SMTP, Webserver, ...) might use resolvers located within the Hetzner network. * Web Applikations can have features that allow users to trigger outbound connections to arbitrary destinations. Examples: * Link previews generated server side (for example on a fediverse server) * Server-Side RSS Readers * Server-Side Request Forgery (SSRF) weaknesses * tor relays It is NOT possible to exploit this without a service on the target system by using source IP spoofing with source IPs from prefixes not announced via BGP. Impact An unauthenticated remote attacker can - in the worst-case - block a Hetzner customer's server Internet access and take all services offline (denial of service) until the block is removed. If a host has multiple source IP addresses only the actually used source IP address is blocked. The integrity and confidentiality of the system is NOT affected. Timeline ======== * 2026-01-04: Advisory is sent to security(a)hetzner.com - including the intended release date of the advisory (2026-02-05). * 2026-01-13: Asked Hetzner for an update via email * 2026-01-27: Sent Advisory to bsi.bund.de * 2026-01-28: Hetzner answered: According to Hetzner it is a customer responsibility to deal with this. * 2026-01-28: We asked Hetzner to clarify how their customers should mitigate this risk if it is their responsibility (no answer). * 2026-02-06: Reply from Hetzner stating that this can not be exploited via source IP spoofing - which we did not claim. * 2026-02-06: We offer a call to clarify the issue * 2026-02-06: Hetzner reply: they will get back to us on 2026-02-10 * 2026-02-06: Advisory publication is postponed due to ongoing emails. * 2026-02-10: Clarify that no source IP address spoofing is involved. * 2026-02-12: Asked Hetzner if they have any further questions and if they have any feedback on the advisory release date (no answer). * 2026-03-01: Advisory is released. Credits ======== We did not discover this and we do not take any credits for the discovery of this issue. This issue got discovered because the Netscan detection also got triggered during BGP outages where some IP prefixes were no longer visible via BGP. Some Hetzner customers were affected by these BGP outages causing Netscan detections.

1 0

No. of connections according to nyx
by tor＠busybear.se 01 Mar '26

01 Mar '26

Hello! I would like to know what is considered a normal amount of connections and what affects that? My exit 7BE9E2EF2BB41BB662D9A3CD68289B9E3DBF8A08 WYSWYG hovers around 4500 inbound, 4200 outbound and sometimes a few directory connections, according to nyx. Output in Mb varies, but increases with the normal lifespan of relays. Is this important, will this increase over time, thus generate more traffic, or does it matter? From what I remember, this have been roughly the same during the lifetime of this relay, no matter what connection speed (5Mb - 1Gb) or which machine I've been running. No restrictions in torrc, as far as I know; Nickname WYSWYG Contactinfo <tor AT busybear DOT se> ExitRelay 1 IPv6Exit 1 Log notice file /home/*/torlog SafeLogging 1 ProtocolWarnings 1 RunAsDaemon 1 ControlPort 9051 CookieAuthentication 1 CookieAuthFileGroupReadable 1 CookieAuthFile /home/*/Downloads/control_auth_cookie ConnDirectionStatistics 1 ExtraInfoStatistics 1 DirPort 65534 ORPort 65535 NumCPUs 6 Any comments or suggestions are welcome! Cheers! //Bamse

1 0

Hibernate vs 10 Mbps throttle when bandwidth cap exceeded
by forest-relay-contact＠cryptolab.net 01 Mar '26

01 Mar '26

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. Many server providers have a monthly bandwidth limit. It's easy enough to deal with that by using the AccountingMax option so that Tor will hibernate when it reaches the bandwidth cap to avoid service suspension. I run a relay on a provider that, rather than suspending the service, simply throttles the bandwidth to 10 Mbps until the next month when the 8 TB/month traffic cap is reset. I run through that traffic in just half a month, so the relay is only operational 50% of the time. But 10 Mbps is not nothing. What should I do here? I can think of a few options: 1. Set AccountingMax and let the relay hibernate like normal, ensuring that, whenever it is on, it can achieve maximum performance. The "free" 10 Mbps bandwidth can then be used for other things, such as I2P which does not have a ramp-up period. 2. Keep the relay running, relaying up to 1.5 TB/month extra for free, but with the caveat that the relay suddenly becomes overloaded each time it reaches the 8 TB mark until the consensus weight falls. 3. Shortly before the bandwidth cap is exceeded, automatically adjust the torrc to include "MaxAdvertisedBandwidth 10 Mbits", and remove it when the bandwidth cap resets. What is a reasonable thing to do here? Regards, forest -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQtr8ZXhq/o01Qf/pow+TRLM+X4xgUCaY/3wQAKCRAw+TRLM+X4 xtgQAQC2HWAGe7tcmuOGu2v/473IQC9lWHL03lUUpuJPSpGZpwD+LItXaqzV4vPy phr/rC4LNDZ1AY8m2ZuTzd4MwsVpsgI= =c+pq -----END PGP SIGNATURE-----

3 3