Hi, we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root. We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic. best regards, tor@appliedprivacy.net
It's very nice of you to follow up on the issue and it's much appreciated. However it's worth noting that to continue calling these abuse reports "false positives" is not going to help. Is Hetzner more sensitive to the issue? Yes. Is it false? No. So far the 1AEO team have blamed Hetzner, accused them of having insecure practices that are dangerous to TOR, asked the rest of us to appeal to Hetzner to stop their practice, etc... The one thing they haven't done is to address the fundamental issue which is basically something they're doing to cause this. We need to ask the right questions if we are trying to troubleshoot a problem and until we do, we're wasting our time. Right questions such as: Why out of over 9000 relays, only 1AEO cause these abuse reports? Until they are willing to admit the problem lies on their setup instead of blaming everyone else, this problem remains. I just got another abuse report around the new Years Eve Eastern time and had to deal with it, just like I had to deal with abuse reports on Christmas and the only thing coming from the 1AEO team is silence. One of the fundamental problems I noticed is with their BGP setup. When their server went down, this is what I got in a trceroute: traceroute 64.65.1.2 traceroute to 64.65.1.2 (64.65.1.2), 30 hops max, 60 byte packets 2 static.129.67.109.65.clients.your-server.de (65.109.67.129) 0.599 ms 0.643 ms 0.741 ms 3 core32.hel1.hetzner.com (213.239.252.181) 0.544 ms 0.484 ms core31.hel1.hetzner.com (213.239.252.177) 0.814 ms 4 core9.fra.hetzner.com (213.239.224.170) 20.228 ms 20.133 ms 20.180 ms 5 core0.fra.hetzner.com (213.239.252.17) 20.321 ms core4.fra.hetzner.com (213.239.224.177) 20.560 ms core1.fra.hetzner.com (213.239.245.125) 20.385 ms 6 core12.nbg1.hetzner.com (213.239.245.246) 23.726 ms core11.nbg1.hetzner.com (213.239.224.233) 25.419 ms 25.358 ms 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * There are no routes to their server. You don't get IP unreachable, This literally has the same effect as scanning the whole non routable 10.1.1.1/24 block and you're flagged. Their upstream did not provide BGP routes to Europe when it took over, if it ever took over. Again, they have access to their setup and they should troubleshoot the problem and fix it, not Hetzner and not me every time I have to fill out a form to prevent my IPs from getting blocked. Hetzner's concerns are valid, the fundamental problem on 1AEO side is not. Just because Hetzner is more sensitive to the issue doesn't mean the problem is imaginary. So unfortunately I'm forced to block outgoing packets to their servers from my own relays to protect myself and I continue to do so until they openly admit the problems exist and publicly tell us the problem is fixed. I'm willing to limit my blocking only to the servers that cause this and let others pass, but unfortunately since there's no transparency on 1AEO's part and they haven't pinpointed the problem. I'll have to go with a wider ban. Cheers. On 12/30/2025 9:35 AM, tor_appliedprivacy.net via tor-relays wrote:
Hi,
we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root.
We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic.
best regards, tor@appliedprivacy.net
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Good evening, I still don't know what the cause is and got the same email again in same time period. I can't really keep risking this as I have many other services running on this server with largest being mirror.diyarciftci.xyz. I already had my IP blocked once before. For the time being, I will be blocking 1AEO too. Looking at metrics, it looks like all got bounced at the same time as when the report came in. When good news comes back, I have no issue with unblocking. Kind regards, Diyar Ciftci -------- Original Message -------- On Thursday, 01/01/26 at 20:35 Chris Enkidu-6 via tor-relays <tor-relays@lists.torproject.org> wrote:
It's very nice of you to follow up on the issue and it's much appreciated.
However it's worth noting that to continue calling these abuse reports "false positives" is not going to help. Is Hetzner more sensitive to the issue? Yes. Is it false? No.
So far the 1AEO team have blamed Hetzner, accused them of having insecure practices that are dangerous to TOR, asked the rest of us to appeal to Hetzner to stop their practice, etc... The one thing they haven't done is to address the fundamental issue which is basically something they're doing to cause this.
We need to ask the right questions if we are trying to troubleshoot a problem and until we do, we're wasting our time. Right questions such as: Why out of over 9000 relays, only 1AEO cause these abuse reports? Until they are willing to admit the problem lies on their setup instead of blaming everyone else, this problem remains.
I just got another abuse report around the new Years Eve Eastern time and had to deal with it, just like I had to deal with abuse reports on Christmas and the only thing coming from the 1AEO team is silence.
One of the fundamental problems I noticed is with their BGP setup. When their server went down, this is what I got in a trceroute:
traceroute 64.65.1.2 traceroute to 64.65.1.2 (64.65.1.2), 30 hops max, 60 byte packets
2 static.129.67.109.65.clients.your-server.de (65.109.67.129) 0.599 ms 0.643 ms 0.741 ms 3 core32.hel1.hetzner.com (213.239.252.181) 0.544 ms 0.484 ms core31.hel1.hetzner.com (213.239.252.177) 0.814 ms 4 core9.fra.hetzner.com (213.239.224.170) 20.228 ms 20.133 ms 20.180 ms 5 core0.fra.hetzner.com (213.239.252.17) 20.321 ms core4.fra.hetzner.com (213.239.224.177) 20.560 ms core1.fra.hetzner.com (213.239.245.125) 20.385 ms 6 core12.nbg1.hetzner.com (213.239.245.246) 23.726 ms core11.nbg1.hetzner.com (213.239.224.233) 25.419 ms 25.358 ms 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
There are no routes to their server. You don't get IP unreachable, This literally has the same effect as scanning the whole non routable 10.1.1.1/24 block and you're flagged. Their upstream did not provide BGP routes to Europe when it took over, if it ever took over.
Again, they have access to their setup and they should troubleshoot the problem and fix it, not Hetzner and not me every time I have to fill out a form to prevent my IPs from getting blocked. Hetzner's concerns are valid, the fundamental problem on 1AEO side is not. Just because Hetzner is more sensitive to the issue doesn't mean the problem is imaginary.
So unfortunately I'm forced to block outgoing packets to their servers from my own relays to protect myself and I continue to do so until they openly admit the problems exist and publicly tell us the problem is fixed. I'm willing to limit my blocking only to the servers that cause this and let others pass, but unfortunately since there's no transparency on 1AEO's part and they haven't pinpointed the problem. I'll have to go with a wider ban.
Cheers.
On 12/30/2025 9:35 AM, tor_appliedprivacy.net via tor-relays wrote:
Hi,
we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root.
We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic.
best regards, tor@appliedprivacy.net
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I have my Tor node at Hetzner as well and my IP was blocked recently because I was not able to reply to their mail quick enough. However I reserved a separate IP for the Tor node so my other services running on my server were not affected by the block. Maybe this would be a solution for you? Best regards Manu On 1/1/26 10:39 PM, Diyar Ciftci via tor-relays wrote:
Good evening,
I still don't know what the cause is and got the same email again in same time period. I can't really keep risking this as I have many other services running on this server with largest being mirror.diyarciftci.xyz. I already had my IP blocked once before. For the time being, I will be blocking 1AEO too. Looking at metrics, it looks like all got bounced at the same time as when the report came in. When good news comes back, I have no issue with unblocking.
Kind regards, Diyar Ciftci
_______________________________________________ tor-relays mailing list --tor-relays@lists.torproject.org To unsubscribe send an email totor-relays-leave@lists.torproject.org
participants (4)
-
Chris Enkidu-6 -
Diyar Ciftci -
Manu -
tor_appliedprivacy.net