[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] Re: Hetzner abuse reports
On Sun, 1 Mar 2026, Christian Kujau via tor-relays wrote:
> I'm running a Tor relay (0.4.8.21 on FreeBSD) on a small VM hosted by
> Hetzner and received an abuse report from them. Although this kinda looks
> like the topic "Hetzner Netscan False Positives" that was discussed
> recently[0], I have not found out who initiated the report to Hetzner and
> I'm also puzzled by the distinct destination addresses. And I also thought
> it might be good to report this publicly that these reports are still an
> issue for relay operators.
>
> The report is bascially:
>
> -------------------
> We have indications that an attack has been conducted from your server.
>
> Netscan detected from host <my-ip-address>
This just happened again, and Hetzner forwarded another abuse report to
me. This time the "target" addresses were all part of a group called "1st
Amendment Encrypted Openness LLC" and they themselves are running Tor
infrastructure - unlikely that they contacted Hetzner about connections
from other nodes. Destination port was always 443/tcp (https).
But now I see the post "Advisory: Unauthenticated remote trigger of
Hetzner's "Netscan" detection" from invisibleprefixes on this list[0] that
explains the whole thing in detail -- thank you for posting that!
I hope Hetzner reads their emails and understands this issue. But I'm
unsure what they are supposed to do here. Can these "portscans" maybe
prevented on a technical level from the relay's end?
Christian.
[0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@xxxxxxxxxxxxxxxxxxxx/thread/KWSEYSWFKD55P4VVBYOTHHOEIBRZODRT/
>
> TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT
> --------------------------------------------------------------------
> 2026-02-28 11:14:23 xxx 48905 -> xxx.xx.116.12 443 74 TCP
> 2026-02-28 11:14:24 xxx 48905 -> xxx.xx.116.13 9004 74 TCP
> 2026-02-28 11:14:12 xxx 23292 -> xxx.xx.116.32 9002 74 TCP
> [...]
> -------------------
>
> In the attached report I can find ~500 entries, spanning across 5 minutes,
> with my address as "source" and several desination addresses that can be
> grouped into three entities:
>
> * 5 entries for UDP traffic to the Xerox Corporation, at least according
> to whois. Weird, but then again: UDP, spoofable, and I did not consider
> these 5 entries relevant enough to investigate further.
>
> * 5 entries for UDP traffic to 198.18.0.1 -- which is a bogon address,
> used for RFC 2544 and should not be routed anyway. Weird, that this
> would show up in their abuse report.
>
> * The remaining entries point to network addresses in a /24 network. whois
> points to a RIPE assignment, and querying RIPE directly for these
> addresses, they are all marked as "TOR EXIT".
>
> So, clearly these addresses are part of the Tor network and I fail to
> understand who contacted Hetzner, complaining that my relay node
> contacted...other Tor nodes? Or is it a bad actor, disguising as a "TOR
> EXIT" and then sending abuse reports to the hosting companies?
>
> Does anyone have an idea what to make of this report?
>
> Thanks,
> Christian.
>
> [0] https://lists.torproject.org/mailman3/hyperkitty/list/tor-relays@xxxxxxxxxxxxxxxxxxxx/thread/JZ7FVJSOVYXZCAFGYXCH7H732S3N5R4W/
>
> --
> BOFH excuse #217:
>
> The MGs ran out of gas.
> _______________________________________________
> tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx
>
--
BOFH excuse #42:
spaghetti cable cause packet failure
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx