Hetzner Netscan False Positives
Hi, we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root. We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic. best regards, tor@appliedprivacy.net
It's very nice of you to follow up on the issue and it's much appreciated. However it's worth noting that to continue calling these abuse reports "false positives" is not going to help. Is Hetzner more sensitive to the issue? Yes. Is it false? No. So far the 1AEO team have blamed Hetzner, accused them of having insecure practices that are dangerous to TOR, asked the rest of us to appeal to Hetzner to stop their practice, etc... The one thing they haven't done is to address the fundamental issue which is basically something they're doing to cause this. We need to ask the right questions if we are trying to troubleshoot a problem and until we do, we're wasting our time. Right questions such as: Why out of over 9000 relays, only 1AEO cause these abuse reports? Until they are willing to admit the problem lies on their setup instead of blaming everyone else, this problem remains. I just got another abuse report around the new Years Eve Eastern time and had to deal with it, just like I had to deal with abuse reports on Christmas and the only thing coming from the 1AEO team is silence. One of the fundamental problems I noticed is with their BGP setup. When their server went down, this is what I got in a trceroute: traceroute 64.65.1.2 traceroute to 64.65.1.2 (64.65.1.2), 30 hops max, 60 byte packets 2 static.129.67.109.65.clients.your-server.de (65.109.67.129) 0.599 ms 0.643 ms 0.741 ms 3 core32.hel1.hetzner.com (213.239.252.181) 0.544 ms 0.484 ms core31.hel1.hetzner.com (213.239.252.177) 0.814 ms 4 core9.fra.hetzner.com (213.239.224.170) 20.228 ms 20.133 ms 20.180 ms 5 core0.fra.hetzner.com (213.239.252.17) 20.321 ms core4.fra.hetzner.com (213.239.224.177) 20.560 ms core1.fra.hetzner.com (213.239.245.125) 20.385 ms 6 core12.nbg1.hetzner.com (213.239.245.246) 23.726 ms core11.nbg1.hetzner.com (213.239.224.233) 25.419 ms 25.358 ms 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * There are no routes to their server. You don't get IP unreachable, This literally has the same effect as scanning the whole non routable 10.1.1.1/24 block and you're flagged. Their upstream did not provide BGP routes to Europe when it took over, if it ever took over. Again, they have access to their setup and they should troubleshoot the problem and fix it, not Hetzner and not me every time I have to fill out a form to prevent my IPs from getting blocked. Hetzner's concerns are valid, the fundamental problem on 1AEO side is not. Just because Hetzner is more sensitive to the issue doesn't mean the problem is imaginary. So unfortunately I'm forced to block outgoing packets to their servers from my own relays to protect myself and I continue to do so until they openly admit the problems exist and publicly tell us the problem is fixed. I'm willing to limit my blocking only to the servers that cause this and let others pass, but unfortunately since there's no transparency on 1AEO's part and they haven't pinpointed the problem. I'll have to go with a wider ban. Cheers. On 12/30/2025 9:35 AM, tor_appliedprivacy.net via tor-relays wrote:
Hi,
we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root.
We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic.
best regards, tor@appliedprivacy.net
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Good evening, I still don't know what the cause is and got the same email again in same time period. I can't really keep risking this as I have many other services running on this server with largest being mirror.diyarciftci.xyz. I already had my IP blocked once before. For the time being, I will be blocking 1AEO too. Looking at metrics, it looks like all got bounced at the same time as when the report came in. When good news comes back, I have no issue with unblocking. Kind regards, Diyar Ciftci -------- Original Message -------- On Thursday, 01/01/26 at 20:35 Chris Enkidu-6 via tor-relays <tor-relays@lists.torproject.org> wrote:
It's very nice of you to follow up on the issue and it's much appreciated.
However it's worth noting that to continue calling these abuse reports "false positives" is not going to help. Is Hetzner more sensitive to the issue? Yes. Is it false? No.
So far the 1AEO team have blamed Hetzner, accused them of having insecure practices that are dangerous to TOR, asked the rest of us to appeal to Hetzner to stop their practice, etc... The one thing they haven't done is to address the fundamental issue which is basically something they're doing to cause this.
We need to ask the right questions if we are trying to troubleshoot a problem and until we do, we're wasting our time. Right questions such as: Why out of over 9000 relays, only 1AEO cause these abuse reports? Until they are willing to admit the problem lies on their setup instead of blaming everyone else, this problem remains.
I just got another abuse report around the new Years Eve Eastern time and had to deal with it, just like I had to deal with abuse reports on Christmas and the only thing coming from the 1AEO team is silence.
One of the fundamental problems I noticed is with their BGP setup. When their server went down, this is what I got in a trceroute:
traceroute 64.65.1.2 traceroute to 64.65.1.2 (64.65.1.2), 30 hops max, 60 byte packets
2 static.129.67.109.65.clients.your-server.de (65.109.67.129) 0.599 ms 0.643 ms 0.741 ms 3 core32.hel1.hetzner.com (213.239.252.181) 0.544 ms 0.484 ms core31.hel1.hetzner.com (213.239.252.177) 0.814 ms 4 core9.fra.hetzner.com (213.239.224.170) 20.228 ms 20.133 ms 20.180 ms 5 core0.fra.hetzner.com (213.239.252.17) 20.321 ms core4.fra.hetzner.com (213.239.224.177) 20.560 ms core1.fra.hetzner.com (213.239.245.125) 20.385 ms 6 core12.nbg1.hetzner.com (213.239.245.246) 23.726 ms core11.nbg1.hetzner.com (213.239.224.233) 25.419 ms 25.358 ms 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
There are no routes to their server. You don't get IP unreachable, This literally has the same effect as scanning the whole non routable 10.1.1.1/24 block and you're flagged. Their upstream did not provide BGP routes to Europe when it took over, if it ever took over.
Again, they have access to their setup and they should troubleshoot the problem and fix it, not Hetzner and not me every time I have to fill out a form to prevent my IPs from getting blocked. Hetzner's concerns are valid, the fundamental problem on 1AEO side is not. Just because Hetzner is more sensitive to the issue doesn't mean the problem is imaginary.
So unfortunately I'm forced to block outgoing packets to their servers from my own relays to protect myself and I continue to do so until they openly admit the problems exist and publicly tell us the problem is fixed. I'm willing to limit my blocking only to the servers that cause this and let others pass, but unfortunately since there's no transparency on 1AEO's part and they haven't pinpointed the problem. I'll have to go with a wider ban.
Cheers.
On 12/30/2025 9:35 AM, tor_appliedprivacy.net via tor-relays wrote:
Hi,
we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root.
We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic.
best regards, tor@appliedprivacy.net
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I have my Tor node at Hetzner as well and my IP was blocked recently because I was not able to reply to their mail quick enough. However I reserved a separate IP for the Tor node so my other services running on my server were not affected by the block. Maybe this would be a solution for you? Best regards Manu On 1/1/26 10:39 PM, Diyar Ciftci via tor-relays wrote:
Good evening,
I still don't know what the cause is and got the same email again in same time period. I can't really keep risking this as I have many other services running on this server with largest being mirror.diyarciftci.xyz. I already had my IP blocked once before. For the time being, I will be blocking 1AEO too. Looking at metrics, it looks like all got bounced at the same time as when the report came in. When good news comes back, I have no issue with unblocking.
Kind regards, Diyar Ciftci
_______________________________________________ tor-relays mailing list --tor-relays@lists.torproject.org To unsubscribe send an email totor-relays-leave@lists.torproject.org
Thanks to appliedprivacy for the update on outreach with Hetzner, and to everyone sharing operational experiences. A few clarifications, grounded in Tor Project guidance: - Temporary relay unreachability due to outages is an expected operating condition, and Tor is designed to adapt to changing relay availability https://community.torproject.org/policies/relays/expectations-for-relay-oper... - Tor’s community resources note that relay operators should “try to avoid the following hosters,” listing Hetzner, based on documented operational friction reported by relay operators https://community.torproject.org/relay/community-resources/good-bad-isps/ - For context, there were two events: emergency maintenance before Christmas, and an outage before New Year’s; root cause is still under investigation, with only a physical link loss on provider equipment confirmed so far. - Raw relay counts are a poor proxy for concentration risk, which Tor already models via families, bandwidth weighting, and path selection. - Tor guidance also notes in Section 3 of the Expectations for Relay Operators: “Don’t block outgoing connections. Tor relays need to be able to reach all other Tor relays.” https://community.torproject.org/policies/relays/expectations-for-relay-oper... Best, Tor at 1AEO On Saturday, January 3rd, 2026 at 5:30 AM, Manu via tor-relays <tor-relays@lists.torproject.org> wrote:
I have my Tor node at Hetzner as well and my IP was blocked recently because I was not able to reply to their mail quick enough. However I reserved a separate IP for the Tor node so my other services running on my server were not affected by the block. Maybe this would be a solution for you?
Best regards Manu
On 1/1/26 10:39 PM, Diyar Ciftci via tor-relays wrote:
Good evening,
I still don't know what the cause is and got the same email again in same time period. I can't really keep risking this as I have many other services running on this server with largest being mirror.diyarciftci.xyz. I already had my IP blocked once before. For the time being, I will be blocking 1AEO too. Looking at metrics, it looks like all got bounced at the same time as when the report came in. When good news comes back, I have no issue with unblocking.
Kind regards, Diyar Ciftci
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
* Tor at 1AEO via tor-relays:
A few clarifications, grounded in Tor Project guidance: [...]
- Tor’s community resources note that relay operators should “try to avoid the following hosters,” listing Hetzner, based on documented operational friction reported by relay operators https://community.torproject.org/relay/community-resources/good-bad-isps/
That's misleading at best. The reason Hetzner is named as one of a few ISPs to possibly avoid, and which you chose not to quote, is this: For network diversity and stronger anonymity, you should avoid providers and countries that already attract a lot of Tor capacity. [...] These hosts already have many Tor nodes being hosted there. I have hosted Tor relays on Hetzner for many years, am still doing so now, and I did not experience "operational friction". On the contrary. Hetzner are in fact Tor-friendly. Even their legal department told me that running Tor nodes is fine as long as they don't negatively impact Hetzner's infrastructure. The main problem is that >100 IPv4 addresses in *your* single /24 network have been unreachable several times during 2025. Hetzner's automated tools interpret connection attempts to so many hosts in a /24 in a short timeframe (originating from a given Hetzner based Tor node) as a possible network scan, which is fair enough. That's just erring on the side of caution, and they are notifying their own customers of a non-standard traffic pattern. I am positive that if you split your nodes across a more varied IPv4 address space, false alerts could be mitigated. I do appreciate what you do for the Tor network, but please don't attempt to throw shade on Hetzner. They are simply trying to run a responsible hosting business. -Ralph
Thanks for the clarification. The Tor community page makes two separate points about Hetzner (https://community.torproject.org/relay/community-resources/good-bad-isps/ ): “These hosts already have many Tor nodes being hosted there.” and later notes that: “It is not a problem, however, abuse reports can lead to a server lock.” The second point is what I was referring to. Temporary relay unreachability due to outages is expected behavior, and Tor guidance discourages relay-to-relay blocking. Best, Tor at 1AEO On Saturday, January 3rd, 2026 at 11:23 PM, Ralph Seichter via tor-relays <tor-relays@lists.torproject.org> wrote:
* Tor at 1AEO via tor-relays:
A few clarifications, grounded in Tor Project guidance: [...]
- Tor’s community resources note that relay operators should “try to avoid the following hosters,” listing Hetzner, based on documented operational friction reported by relay operators https://community.torproject.org/relay/community-resources/good-bad-isps/
That's misleading at best. The reason Hetzner is named as one of a few ISPs to possibly avoid, and which you chose not to quote, is this:
For network diversity and stronger anonymity, you should avoid providers and countries that already attract a lot of Tor capacity. [...] These hosts already have many Tor nodes being hosted there.
I have hosted Tor relays on Hetzner for many years, am still doing so now, and I did not experience "operational friction". On the contrary. Hetzner are in fact Tor-friendly. Even their legal department told me that running Tor nodes is fine as long as they don't negatively impact Hetzner's infrastructure.
The main problem is that >100 IPv4 addresses in your single /24 network
have been unreachable several times during 2025. Hetzner's automated tools interpret connection attempts to so many hosts in a /24 in a short timeframe (originating from a given Hetzner based Tor node) as a possible network scan, which is fair enough. That's just erring on the side of caution, and they are notifying their own customers of a non-standard traffic pattern.
I am positive that if you split your nodes across a more varied IPv4 address space, false alerts could be mitigated. I do appreciate what you do for the Tor network, but please don't attempt to throw shade on Hetzner. They are simply trying to run a responsible hosting business.
-Ralph _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
* Tor at 1AEO:
Temporary relay unreachability due to outages is expected behavior, and Tor guidance discourages relay-to-relay blocking.
Agreed. Which is why I recommend for Tor operators to *not* block your /24 network, but deal with the small nuisances that are the occasional false "possible netscan detected" reports. Giving you and the Tor devs time to come up with ways to maybe mitigate the underlying issue, which is already ongoing. Hetzner has been routinely closing all my tickets in which I stated that the observed traffic is not worrisome between Tor nodes. There was no fuss from Hetzner's side. I prefer an ISP who is aware and supportive of Tor but still keep their ears perked to ISPs who simply object to Tor on general principle. By the way, if a potential temporary ISP-side block is unacceptable, and to avoid the worst case scenario of some spooky organisation confiscating the host as a whole, maybe don't mix Tor nodes with business critical services... ;-) -Ralph
Hetzner was not particularly responsive to our emails. This is a pre-notification that we will publish an advisory on this topic on 2026-02-06. To be honest I don't think it will contain much new information for most people that followed this topic in the past. The advisory is not specific to tor relays but does also affect all tor relays running at Hetzner.
tor_appliedprivacy.net via tor-relays:
Hetzner was not particularly responsive to our emails.
This is a pre-notification that we will publish an advisory on this topic on 2026-02-06.
Just when I was preparing to send the email I got another email from Hetzner, so this will be postponed by about another week.
participants (6)
-
Chris Enkidu-6 -
Diyar Ciftci -
Manu -
Ralph Seichter -
Tor at 1AEO -
tor_appliedprivacy.net