The problem is Hetzner's surveillance. Any provider that constantly stores and analyzes netflow data to this degree is a risk.
Hetzner is a huge provider with diverse networks. I can't blame
them for trying to keep it secure in whatever way they see fit.
People are not going to change providers because you say so. They
choose what works for them or they stop contributing.
Instead of punishing Tor diversity, we should reduce the impact of Hetzner. I propose all Hetzner-hosted relays get the MiddleOnly flag and be barred from becoming Guard nodes.
To be honest having a handful of operators controlling such great number of exit nodes and exit traffic on the Tor network to a point that a simple maintenance can create this kind of effect in my view is just as much of a security risk.
I use Hetzner because I have a bare metal server with 12 IPv4 addresses that runs a bunch of things including Tor nodes and it relays about 160 TB up and 160 TB down of Tor traffic each month, all for a total cost of 60 Euros. There's no way I can do that on cheap VPS. Any time you feel like banning Hetzner I'd be glad to shut them down and move on. I choose where I run my server and no amount of Good / Bad ISP lists made by those who are out of touch with reality of what the average volunteer has to deal with is going to make me change my mind.
And no, I'm not promoting banning those IP addresses. This is not limited to Exit nodes. It's related to single operators holding great number of IP addresses on a single server and that's where the problem lies. Once a single server goes down, it will have a major effect. In fact I received a new one for 64.65.62.0/24 two days ago for the third time in a couple of months. The whole /24 block has been down for over 2 days and they're not even Exit nodes. Dealing with Hetzner Abuse emails is quite easy. In fact they closed the ticket without me having to even answer.
I sincerely hope the network-health team sees the gravity of this. If we knowingly ban our own relays over this, we are fundamentally undermining the network. When did we become the censors? /r0cket On Monday, October 27, 2025 21:20 UTC, Toralf Förster via tor-relays <tor-relays@lists.torproject.org> wrote:On 10/22/25 6:52 AM, Tor at 1AEO via tor-relays wrote:No other provider appears to exhibit these same issues with this traffic pattern.I got 3 abuse complaints related to 64.65.0.0/24, 64.65.61.0/24 and 96.9.98.0/24 in the past couple of weeks.Open to any guidance or suggestions on how best to mitigate this.My personal solution attempt as of today is in [1]. For that I added EGRESS_SUBNET_SLEW="45.84.107.0 64.65.0.0/23 64.65.60.0/22 96.9.98.0 109.70.100 171.25.193.0 185.220.101.0 192.42.116.0" /opt/torutils/ipv4-rules-egress.sh start to the init script of a bare metal server hosting 5 Tor relays. After reboot it took about 10 min for the iptables stats to calm down [2]. [1] https://github.com/toralf/torutils/blob/main/ipv4-rules-egress.sh [2] https://0x0.st/K2C0.txt -- Toralf _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org