I've heard once of a non-exit relay getting seized because it was used
as guard by a ransomware. We can't tell for sure, but maybe it's
some kind of virus connecting to its control server over tor and
choosing this relay as its guard, causing your ip to be flagged by
This is very much a guess, but I fail to see a better explanation.
On Tue, 11 Apr 2023 at 18:33, Finn <email@example.com> wrote:
We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (184.108.40.206) (Tor Relays :: RDPdotSH) - anyone has an idea how this happens?
tor-relays mailing list
firstname.lastname@example.org tor-relays Info Page
It looks like your relay has been a Guard relay (i.e. has had the Guard
flag) for most of the past year. One possibility is that they have
somehow decided that a user they are trying to track uses your relay
as one of their Guards. That is, in this scenario they decided that the
user connects to your relay consistently over time, so they are asking
you to help them learn more about that user.
Of course, your Tor relay in its default settings doesn't have any useful
data for them, and you should keep it configured that way.
It is unclear how much people might be trying to do "guard discovery"
attacks in practice, and also unclear how well they might work -- there
is a lot of research on this class of attacks in theory but not much is
known about whether it matters in practice.
And who knows, it could be something else: maybe they are just fishing
for general information, or maybe they are intentionally creating useless
work and stress for you and your hosting provider to discourage you from
wanting to help Tor users.
More reading on the 'guard discovery attack' topic:
* PETS paper, From "Onion Not Found" to Guard Discovery:
Nothing unusual? I had a house search because of exits but never a user data
request because of entry nodes.
As a German organization, you must fully comply with Telekommunikation-
Telemedien-Datenschutz-Gesetz §9 (the German telemedia data protection law),
which prohibits to log any personally identifiable data or usage data unless
required for billing purposes. As you do not charge for using your services,
you will never be able to keep any connection data. ¯\_(ツ)_/¯
Tor routers owned by German media services are protected by Telemediengesetz