hey hey Am 20.10.25 um 12:29 schrieb Ralph Seichter via tor-relays:
Well, there's more, is there not? Hetzner reports of this kind typically list a whole range of destination IP addresses, i.e. portscans for network ranges (class C being pretty common).
hey hey i run a relay, not an exit node. the report from hetzner was both times ~300 lines long ================ TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT ---------------------------------------------------------------------------- 2025-10-14 22:37:13 188.40.xxx.yyy 45254 -> 96.9.98.2 443 74 TCP 2025-10-14 22:37:14 188.40.xxx.yyy 45254 -> 96.9.98.2 443 74 TCP 2025-10-14 22:37:16 188.40.xxx.yyy 45254 -> 96.9.98.2 443 74 TCP 2025-10-14 22:36:25 188.40.xxx.yyy 37016 -> 96.9.98.8 443 74 TCP 2025-10-14 22:36:26 188.40.xxx.yyy 37016 -> 96.9.98.8 443 74 TCP 2025-10-14 22:36:28 188.40.xxx.yyy 37016 -> 96.9.98.8 443 74 TCP 2025-10-14 22:37:46 188.40.xxx.yyy 35794 -> 96.9.98.9 443 74 TCP 2025-10-14 22:37:47 188.40.xxx.yyy 35794 -> 96.9.98.9 443 74 TCP 2025-10-14 22:37:49 188.40.xxx.yyy 35794 -> 96.9.98.9 443 74 TCP 2025-10-14 22:37:52 188.40.xxx.yyy 42760 -> 96.9.98.10 443 74 TCP 2025-10-14 22:37:53 188.40.xxx.yyy 42760 -> 96.9.98.10 443 74 TCP 2025-10-14 22:37:55 188.40.xxx.yyy 42760 -> 96.9.98.10 443 74 TCP 2025-10-14 22:37:44 188.40.xxx.yyy 40534 -> 96.9.98.12 443 74 TCP 2025-10-14 22:37:45 188.40.xxx.yyy 40534 -> 96.9.98.12 443 74 TCP 2025-10-14 22:37:47 188.40.xxx.yyy 40534 -> 96.9.98.12 443 74 TCP 2025-10-14 22:33:58 188.40.xxx.yyy 48910 -> 96.9.98.14 443 74 TCP 2025-10-14 22:36:43 188.40.xxx.yyy 38028 -> 96.9.98.14 443 74 TCP 2025-10-14 22:33:25 188.40.xxx.yyy 48910 -> 96.9.98.14 443 74 TCP 2025-10-14 22:35:06 188.40.xxx.yyy 52632 -> 96.9.98.15 443 74 TCP 2025-10-14 22:35:07 188.40.xxx.yyy 52632 -> 96.9.98.15 443 74 TCP 2025-10-14 22:35:09 188.40.xxx.yyy 52632 -> 96.9.98.15 443 74 TCP 2025-10-14 22:36:29 188.40.xxx.yyy 41368 -> 96.9.98.16 443 74 TCP 2025-10-14 22:36:30 188.40.xxx.yyy 41368 -> 96.9.98.16 443 74 TCP 2025-10-14 22:36:32 188.40.xxx.yyy 41368 -> 96.9.98.16 443 74 TCP .... ================ and so on *all* of those addresses are tor relay both times according to [1] and [2] and according the the same sides their torport is 443. my speculation is still in the direction that they're maybe doing maintenance, taking down all nodes, and then my relay tries to connect to them and gives up after three times. still nothing i'd see as bad behavior?
Portscans are /not/ fine. If you are not running an exit node, there is no reason for your node to connect to port 443 on a whole range of target hosts. That traffic is either spoofed, or something is very wrong on your node.
as said, the destination ip/port are *always* valid tor nodes, so i do not see this as port scan.
However, if you are running an exit node, you can pretty much bet that some bozos will abuse it to run portscans. Occupational hazard. And it's not fine either.
if i'd run an exit node i'd wonder about nothing ;) and tbh i'd also not let it run via hetzner. as there i'd expect problems of other kind on a daily basis. i', very thanktful for all the exit node operators. cheers Jan [1] https://metrics.torproject.org/rs.html#search/64.65.1 [2] https://metrics.torproject.org/rs.html#search/96.9.98