It's very nice of you to follow up on the issue and it's much appreciated.
However it's worth noting that to continue calling these abuse reports "false positives" is not going to help. Is Hetzner more sensitive to the issue? Yes. Is it false? No.
So far the 1AEO team have
blamed Hetzner, accused them of having insecure practices that
are dangerous to TOR, asked the rest of us to appeal to
Hetzner to stop their practice, etc... The one thing they
haven't done is to address the fundamental issue which is
basically something they're doing to cause this.
We need to ask the right questions if we are trying to troubleshoot a problem and until we do, we're wasting our time. Right questions such as: Why out of over 9000 relays, only 1AEO cause these abuse reports? Until they are willing to admit the problem lies on their setup instead of blaming everyone else, this problem remains.
I just got another abuse report around the new Years Eve Eastern time and had to deal with it, just like I had to deal with abuse reports on Christmas and the only thing coming from the 1AEO team is silence.
One of the fundamental problems I noticed is with their BGP setup. When their server went down, this is what I got in a trceroute:
traceroute 64.65.1.2
traceroute to 64.65.1.2 (64.65.1.2), 30 hops max, 60 byte
packets
2 static.129.67.109.65.clients.your-server.de
(65.109.67.129) 0.599 ms 0.643 ms 0.741 ms
3 core32.hel1.hetzner.com (213.239.252.181) 0.544 ms 0.484
ms core31.hel1.hetzner.com (213.239.252.177) 0.814 ms
4 core9.fra.hetzner.com (213.239.224.170) 20.228 ms 20.133
ms 20.180 ms
5 core0.fra.hetzner.com (213.239.252.17) 20.321 ms
core4.fra.hetzner.com (213.239.224.177) 20.560 ms
core1.fra.hetzner.com (213.239.245.125) 20.385 ms
6 core12.nbg1.hetzner.com (213.239.245.246) 23.726 ms
core11.nbg1.hetzner.com (213.239.224.233) 25.419 ms 25.358
ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
There are no routes to their server. You don't get IP unreachable, This literally has the same effect as scanning the whole non routable 10.1.1.1/24 block and you're flagged. Their upstream did not provide BGP routes to Europe when it took over, if it ever took over.
Again, they have access to
their setup and they should troubleshoot the problem and fix
it, not Hetzner and not me every time I have to fill out a
form to prevent my IPs from getting blocked. Hetzner's
concerns are valid, the fundamental problem on 1AEO side is
not. Just because Hetzner is more sensitive to the issue
doesn't mean the problem is imaginary.
So unfortunately I'm forced to
block outgoing packets to their servers from my own relays to
protect myself and I continue to do so until they openly admit
the problems exist and publicly tell us the problem is fixed.
I'm willing to limit my blocking only to the servers that
cause this and let others pass, but unfortunately since
there's no transparency on 1AEO's part and they haven't
pinpointed the problem. I'll have to go with a wider ban.
Cheers.
Hi,
we just wanted to let you know that we got a Hetzner network contact yesterday here at 39C3 to try to get this issue solved at the root.
We can not promise anything at this point but we will likely update this thread in a few weeks (January) about the status with Hetzner on this topic.
best regards,
tor@xxxxxxxxxxxxxxxxxx
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx
_______________________________________________ tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx