On Sun, 1 Mar 2026, Christian Kujau via tor-relays wrote:
I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by Hetzner and received an abuse report from them. Although this kinda looks like the topic "Hetzner Netscan False Positives" that was discussed recently[0], I have not found out who initiated the report to Hetzner and I'm also puzzled by the distinct destination addresses. And I also thought it might be good to report this publicly that these reports are still an issue for relay operators.
The report is bascially:
------------------- We have indications that an attack has been conducted from your server.
Netscan detected from host <my-ip-address>
This just happened again, and Hetzner forwarded another abuse report to me. This time the "target" addresses were all part of a group called "1st Amendment Encrypted Openness LLC" and they themselves are running Tor infrastructure - unlikely that they contacted Hetzner about connections from other nodes. Destination port was always 443/tcp (https). But now I see the post "Advisory: Unauthenticated remote trigger of Hetzner's "Netscan" detection" from invisibleprefixes on this list[0] that explains the whole thing in detail -- thank you for posting that! I hope Hetzner reads their emails and understands this issue. But I'm unsure what they are supposed to do here. Can these "portscans" maybe prevented on a technical level from the relay's end? Christian. [0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torpr...
TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT -------------------------------------------------------------------- 2026-02-28 11:14:23 xxx 48905 -> xxx.xx.116.12 443 74 TCP 2026-02-28 11:14:24 xxx 48905 -> xxx.xx.116.13 9004 74 TCP 2026-02-28 11:14:12 xxx 23292 -> xxx.xx.116.32 9002 74 TCP [...] -------------------
In the attached report I can find ~500 entries, spanning across 5 minutes, with my address as "source" and several desination addresses that can be grouped into three entities:
* 5 entries for UDP traffic to the Xerox Corporation, at least according to whois. Weird, but then again: UDP, spoofable, and I did not consider these 5 entries relevant enough to investigate further.
* 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address, used for RFC 2544 and should not be routed anyway. Weird, that this would show up in their abuse report.
* The remaining entries point to network addresses in a /24 network. whois points to a RIPE assignment, and querying RIPE directly for these addresses, they are all marked as "TOR EXIT".
So, clearly these addresses are part of the Tor network and I fail to understand who contacted Hetzner, complaining that my relay node contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR EXIT" and then sending abuse reports to the hosting companies?
Does anyone have an idea what to make of this report?
Thanks, Christian.
[0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torpr...
-- BOFH excuse #217:
The MGs ran out of gas. _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
-- BOFH excuse #42: spaghetti cable cause packet failure