Greetings, I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by Hetzner and received an abuse report from them. Although this kinda looks like the topic "Hetzner Netscan False Positives" that was discussed recently[0], I have not found out who initiated the report to Hetzner and I'm also puzzled by the distinct destination addresses. And I also thought it might be good to report this publicly that these reports are still an issue for relay operators. The report is bascially: ------------------- We have indications that an attack has been conducted from your server. Netscan detected from host <my-ip-address> TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT -------------------------------------------------------------------- 2026-02-28 11:14:23 xxx 48905 -> xxx.xx.116.12 443 74 TCP 2026-02-28 11:14:24 xxx 48905 -> xxx.xx.116.13 9004 74 TCP 2026-02-28 11:14:12 xxx 23292 -> xxx.xx.116.32 9002 74 TCP [...] ------------------- In the attached report I can find ~500 entries, spanning across 5 minutes, with my address as "source" and several desination addresses that can be grouped into three entities: * 5 entries for UDP traffic to the Xerox Corporation, at least according to whois. Weird, but then again: UDP, spoofable, and I did not consider these 5 entries relevant enough to investigate further. * 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address, used for RFC 2544 and should not be routed anyway. Weird, that this would show up in their abuse report. * The remaining entries point to network addresses in a /24 network. whois points to a RIPE assignment, and querying RIPE directly for these addresses, they are all marked as "TOR EXIT". So, clearly these addresses are part of the Tor network and I fail to understand who contacted Hetzner, complaining that my relay node contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR EXIT" and then sending abuse reports to the hosting companies? Does anyone have an idea what to make of this report? Thanks, Christian. [0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torpr... -- BOFH excuse #217: The MGs ran out of gas.
On Sun, 1 Mar 2026, Christian Kujau via tor-relays wrote:
I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by Hetzner and received an abuse report from them. Although this kinda looks like the topic "Hetzner Netscan False Positives" that was discussed recently[0], I have not found out who initiated the report to Hetzner and I'm also puzzled by the distinct destination addresses. And I also thought it might be good to report this publicly that these reports are still an issue for relay operators.
The report is bascially:
------------------- We have indications that an attack has been conducted from your server.
Netscan detected from host <my-ip-address>
This just happened again, and Hetzner forwarded another abuse report to me. This time the "target" addresses were all part of a group called "1st Amendment Encrypted Openness LLC" and they themselves are running Tor infrastructure - unlikely that they contacted Hetzner about connections from other nodes. Destination port was always 443/tcp (https). But now I see the post "Advisory: Unauthenticated remote trigger of Hetzner's "Netscan" detection" from invisibleprefixes on this list[0] that explains the whole thing in detail -- thank you for posting that! I hope Hetzner reads their emails and understands this issue. But I'm unsure what they are supposed to do here. Can these "portscans" maybe prevented on a technical level from the relay's end? Christian. [0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torpr...
TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT -------------------------------------------------------------------- 2026-02-28 11:14:23 xxx 48905 -> xxx.xx.116.12 443 74 TCP 2026-02-28 11:14:24 xxx 48905 -> xxx.xx.116.13 9004 74 TCP 2026-02-28 11:14:12 xxx 23292 -> xxx.xx.116.32 9002 74 TCP [...] -------------------
In the attached report I can find ~500 entries, spanning across 5 minutes, with my address as "source" and several desination addresses that can be grouped into three entities:
* 5 entries for UDP traffic to the Xerox Corporation, at least according to whois. Weird, but then again: UDP, spoofable, and I did not consider these 5 entries relevant enough to investigate further.
* 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address, used for RFC 2544 and should not be routed anyway. Weird, that this would show up in their abuse report.
* The remaining entries point to network addresses in a /24 network. whois points to a RIPE assignment, and querying RIPE directly for these addresses, they are all marked as "TOR EXIT".
So, clearly these addresses are part of the Tor network and I fail to understand who contacted Hetzner, complaining that my relay node contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR EXIT" and then sending abuse reports to the hosting companies?
Does anyone have an idea what to make of this report?
Thanks, Christian.
[0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@lists.torpr...
-- BOFH excuse #217:
The MGs ran out of gas. _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
-- BOFH excuse #42: spaghetti cable cause packet failure
On Sun, Mar 15, 2026 at 04:47:13PM +0100, Christian Kujau via tor-relays wrote:
This just happened again, and Hetzner forwarded another abuse report to me. This time the "target" addresses were all part of a group called "1st Amendment Encrypted Openness LLC" and they themselves are running Tor infrastructure - unlikely that they contacted Hetzner about connections from other nodes. Destination port was always 443/tcp (https).
But now I see the post "Advisory: Unauthenticated remote trigger of Hetzner's "Netscan" detection" from invisibleprefixes on this list[0] that explains the whole thing in detail -- thank you for posting that!
I hope Hetzner reads their emails and understands this issue. But I'm unsure what they are supposed to do here. Can these "portscans" maybe prevented on a technical level from the relay's end?
Please don't try to solve this on your relay. Relays should be able to reach all other relays all the time and must not interfer with the traffic they should relay. Best regards, Johan
On Sun, 15 Mar 2026, Johan Nilsson via tor-relays wrote:
I hope Hetzner reads their emails and understands this issue. But I'm unsure what they are supposed to do here. Can these "portscans" maybe prevented on a technical level from the relay's end?
Please don't try to solve this on your relay. Relays should be able to reach all other relays all the time and must not interfer with the traffic they should relay.
Well, I have now blocked traffic on my system to two Tor communities, which is not great of course, but I felt like I had to show Hetzner "something" in lieu of a real solution. I still worry that Hetzner gets fed up with sending me these semi-automatic abuse reports and just cancel my (very cheap) account because it's just too much hassle for them to deal with all this. Christian. -- BOFH excuse #101: Collapsed Backbone
* Christian Kujau via tor-relays:
Well, I have now blocked traffic on my system to two Tor communities, which is not great of course, but I felt like I had to show Hetzner "something" in lieu of a real solution.
I see no need for any action on your part, let alone for meddling with Tor traffic, to appease Hetzner. For more than a year (and counting) I have responded to each of these "abuse" reports by stating in the feedback form that this is routine Tor traffic, not abuse. This was accepted by Hetzner every time. Note that I set up a small local workflow which verifies that the reported IP adresses really match known Tor nodes. After all, I want to be certain that no actual abuse happens. Also, Hetzner is not trying to be obnoxious, they only aim to protect their reputation. -Ralph
On Thu, 19 Mar 2026, Ralph Seichter via tor-relays wrote:
Tor traffic, to appease Hetzner. For more than a year (and counting) I have responded to each of these "abuse" reports by stating in the feedback form that this is routine Tor traffic, not abuse. This was accepted by Hetzner every time.
OK, thanks for sharing that. This gives me hope that I might get the same reaction from Hetzner too.
be certain that no actual abuse happens. Also, Hetzner is not trying to be obnoxious, they only aim to protect their reputation.
Yes, of course, and I wasn't suggesting that Hetzner was being obnoxious. But while their reports may be sent out automatically, maybe a human being will need to read and acknowledge all the statements that users then sent back. But yeah, maybe I worry too much and I think I'll remove these netblocks again on my end. Thanks, Christian. -- BOFH excuse #453: Spider infestation in warm case parts
* Christian Kujau:
I wasn't suggesting that Hetzner was being obnoxious.
No, and I did not mean to imply that you did. I added this part to clarify why I choose to cooperate with Hetzner in regards to the recurring false positive reports. The automated reports are certainly annoying, but I file it under "shit happens".
maybe a human being will need to read and acknowledge all the statements that users then sent back.
Yup, that's probably the case. That can't be fun. Staff members will hopefully realise that certain types of customer statements appear similar in nature. Hetzner surely knows about the Tor situation, many nodes are hosted on their infrastructure.
maybe I worry too much and I think I'll remove these netblocks again on my end.
Seems like a good idea to me. Avoiding what is called "vorauseilender Gehorsam" is important, as is not being easily intimidated when running Tor relays. -Ralph
participants (3)
-
Christian Kujau -
Johan Nilsson -
Ralph Seichter