Hello everyone,
TL;DR My findings suggest that around 15% of my Tor traffic on Hetzner servers stays within Hetzner, therefore both the guard and middle relay appear to be inside the Hetzner network for a significant amount of these circuits.
I was doing some basic maintenance on my server farm today and noticed something odd. For the Tor servers I have running at Hetzner, the traffic numbers quoted by Hetzner in their console are a good amount lower than the numbers I was seeing in my monitoring suite running on the servers directly. This was consistent across all the Tor servers I host there while a different server – not used for Tor in any way – didn’t show this behavior and the numbers matched within 1% of each other.
I read up and looked at how Hetzner measures their numbers: https://docs.hetzner.com/robot/general/traffic/
- The measured values of the traffic usage are determined by the routers only after disconnecting a TCP connection. If a TCP connection exists for several hours, the total volume of this traffic will be displayed as a peak at the time of disconnection.
- We calculate monthly traffic only using outgoing traffic. We do not count incoming and internal traffic.
To exclude the first point from screwing with my findings, I restarted all Tor instances for one of the servers and completely rebooted a second one. The changes were minimal.
Could it therefore be that the remaining traffic stays within Hetzner and is therefore not counted by their console? That implies that quite a significant number of Tor circuits are being built with Hetzner servers in both the guard and middle position. Is that possible? If so, is this behavior known and desired? I highly doubt it!
Here are the numbers:
Things to note:
- My monitoring solution accumulates traffic every 5 minutes and displays the totals in TiB with 2 decimal points.
- The Hetzner Console numbers appears to update every ~30 minutes and are displayed down to the MB.
- My Tor instances at Hetzner are a wild mix of guard and middle nodes
- Hetzner uses multiple IP ranges, my four servers are spread across three different /16 subnets even though they are in the same physical location
Therefore, I think the numbers above need to be seen with a certain amount of variance (1-2% maybe). Still, I find ~15% internal traffic quite shocking!
Any thoughts?