[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Netscan Hetzner

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Re: Netscan Hetzner
From: forest-relay-contact--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Dec 2025 09:34:05 -0000
In-reply-to: <DiJwd4UmAByQQmZsq7wcVRzhFRS84DuTeoF7S_OAwQm0MYpPwuT293SJDLnfpBJwf1_-LzPqfNXgr6-3BBCw82w3ir18gSZ8h3wDbAGll9g=@1aeo.com>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
References: <DiJwd4UmAByQQmZsq7wcVRzhFRS84DuTeoF7S_OAwQm0MYpPwuT293SJDLnfpBJwf1_-LzPqfNXgr6-3BBCw82w3ir18gSZ8h3wDbAGll9g=@1aeo.com>
Reply-to: forest-relay-contact@xxxxxxxxxxxxx
User-agent: HyperKitty on https://lists.torproject.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

Tor at 1AEO wrote:
> NetFlow-style data is not neutral from a privacy perspective. While it
> doesn’t include payloads, it does expose timing, fan-out, retry
> behavior, and correlation patterns. When retained or disclosed —
> intentionally or otherwise — that metadata can reveal Tor traffic
> characteristics and failure-mode behavior that would not exist at all
> if such flow data were not collected.

Most uses of NetFlow are not "monitor timing on all packets" but things
like "give statistics on one out of every N packets". When N is large
enough, it's not practical to use it for traffic correlation attacks in
that situation. Not that everyone runs it in sampled mode, of course...

Not to mention, there's no reason to suggest that Hetzner got any of
that information from NetFlow itself. They could have simply gotten it
from a set of NetFilter (e.g. iptables) rules running on the host node
that log whenever certain behavior is detected. If anything, that would
be more plausible as it does not require exporting traffic when the host
node itself is perfectly capable of doing analysis on its own.

I agree that widespread use of NetFlow (and cflowd and all that jazz) is
an issue, but I disagree that Hetzner's ability to detect certain types
of traffic behavior indicates use of NetFlow or any similar technology.

Regards,
forest
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmlSSyYACgkQBh18rEKN
1gtiBQ//VinMxjLsN30n+tZDLPPbF/qerLSlK3NwzXy8pk7vXkLyuPLIzb2K9PVm
V39VQ/zz2urlg5HYsBd0lScdKCWSNDsl+VdMx0cMvDfsYlhA4FHSZUJF8E6LQDq2
xmAqDZDLbQnypkiD8NEOXggqpgsCJbc6pnMJLiOBGqQ0vevdOX250uVl1HG7jTHa
QiehgKfHAoZ/PlefdoOgjACGtV3iHqBW9t2ZTljetGWEF8Bon7aU0wJgX8IqK1Lt
xOoknYFnoNHTXYDcuK1Ze5JqiYFWjQ9dYfsAhhCz1F9MRjk4w8FUGagOQiCieX3L
nkUt4LAGkdAerUYN+2kk34WEs2pnTCWAeGztIG80GB2lq0jaZQGYU1Wu9JzKSQON
o4R0sU9TMZjCqG6ZvuS1OlXbooO3xhgJAZsAw+zXZNfhY+iuMS3QoiCa/2wP7AwM
6CsPrnqDKGyHxyGdYR/QJ+3CDAYVtf9eR4bOTWBKHoMBpNNgGcIDr0EVtIvOySt4
ckD75LrfuZFkSW6oeOWKPi2YS2rzFlpnU0XDEkMAzaGEC0CTUGO82L5Fv/G4gPh/
MqEjM2NOZmtl3rcren376taUyR/N5Qi5wWi3nhPBNpXbHGcBdOaclEShgwEUOp+R
uOsyChddK25OO831patX5rMFJwwgli0R1/1D2nFkpnyfgDPbEZw=
=NIkP
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

References:
- [tor-relays] Re: Netscan Hetzner
  - From: Tor at 1AEO via tor-relays

Prev by Author: [tor-relays] Re: Relay forest18 is still not on the consensus
Next by Author: [tor-relays] Consensus frequently reports relay down, despite relay passing traffic
Previous by thread: [tor-relays] Re: Netscan Hetzner
Next by thread: [tor-relays] Re: Netscan Hetzner
Index(es):
- Author
- Thread