I assume you told Hetzner about your findings. Did they write a sensible reply?

From the thread I see that multiple Hetzner customers have been targeted. It should be clear to Hetzner by now that their customers are the victims and as such I think they should apologize to the people they have forwarded complaints to.

Regarding what people say about IP-ID in the thread, it's not true that IP-ID is randomized on every OS. I recently looked into how Linux does and learned that it is only on IPv6 that IP-ID is randomized, and that's something which was introduced less than 10 years ago.

The IP-ID values on IPv4 are still generated using a simple counter. However it uses different counters depending on a hash of the source and destination IP addresses, which makes idle scanning much harder than it used to be. But if you can find a combination of IP addresses which produce the same hash, then it's still possible.

A few years ago the number of counters was increased from 1024 to 262144. But due to the birthday paradox you only need around 512 IP address combinations to get assigned the same counter twice.

Update: I got an email from Hetzner's legal team today saying they came across my blog post (nice!). Paraphrasing:

- They're monitoring and understand that there is no actual abuse being done from these Tor relays getting spoofed.
- They emphasized that they do not routinely take action on this kind of abuse complaints, and that's why they forward them without requiring reply/action from the customer.

Love hearing this, and I'm actually impressed by Hetzner's response! Major props.