On 20.10.2025 22:04 Jan via tor-relays wrote:
and so on *all* of those addresses are tor relay both times according to [1] and [2] and according the the same sides their torport is 443.
my speculation is still in the direction that they're maybe doing maintenance, taking down all nodes, and then my relay tries to connect to them and gives up after three times. still nothing i'd see as bad behavior?
Might be the case. To verify that, implement network logging on your system, including the TCP flags and maybe also the process info. With that you can verify that your system sent out those packages and how the remote replied. Address forging attacks are a common problem and ca be used to do reflecting attacks. There is no good way to avoid that if you are the middle machine in the reflection attack.