A new paper came out with a similar but more thorough analysis. They claim to be able to identify hidden service entry guards in under 2 hours. They also propose counter-measures, which of course include layered entry guards. Here are the relevant parts. Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf Abstract - Tor is the most popular volunteer-based anonymity network consisting of over 3000 volunteer-operated relays. Apart from making connections to servers hard to trace to their origin it can also provide receiver privacy for Internet services through a feature called "hidden services". In this paper we expose flaws both in the design and implementation of Tor's hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services. We give a practical evaluation of our techniques by studying: (1) a recent case of a botnet using Tor hidden services for command and control channels; (2) Silk Road, a hidden service used to sell drugs and other contraband; (3) the hidden service of the DuckDuckGo search engine. VII. REVEALING GUARD NODES OF HIDDEN SERVICES In this section we present an attack to reveal the guard nodes of a hidden service when the list of the introduction points in the HS descriptor is not encrypted (for the case when the list of introduction points in encrypted see Appendix B). To do this, we use a technique similar to that presented in section VI; control over at least two Tor non-Exit relays is needed to carry it out. In the attack, the hidden service is forced to establishes many rendezvous connections to the rendezvous point (RP) controlled by the attacker in hope that some circuits pass through the second node (the middle node) controlled by the attacker. The RP generates traffic with a special signature which can be identified by the attacker's middle node. The steps of the attack are the same as in section VI. Asymptotically, the probability that the attacker's middle node is chosen for the rendezvous circuit, approaches 1. Whenever the rendezvous point receives a RELAY_COMMAND_RENDEZVOUS1 with the same cookie as the attacker sent in the RELAY_COMMAND_INTRODUCTION1 cell it logs the reception and the IP address of the immediate transmitter of the cell. At the same time, the attacker's middle node monitors the circuits passing through it. Whenever it receives a DESTROY cell over a circuit it checks: 1) whether the cell was received just after the rendezvous point received the RELAY_COMMAND_RENDEZVOUS1 cell; 2) if the next node of the circuit at the middle node coincides with the previous node of the circuit at the rendezvous point; 3) whether the number of forwarded cells is exactly 2 cells up the circuit and 52 cells down the circuit. If all the conditions are satisfied, the attacker decides that her middle node was chosen for the hidden service's rendezvous circuit and marks the previous node in the circuit as a potential guard node of the hidden service. We implemented the attack and ran it against two hidden services operated by us. In both cases the guard nodes were identified correctly, without any false positives. In the first case, the rendezvous point received around 36 000 RELAY_COMMAND_RENDEZVOUS1 cells in 1 hour 20 minutes and the correct guard nodes were identified 8, 6, and 5 times correspondingly. In the seconds case, the rendezvous point received 16 000 RELAY_COMMAND_RENDEZVOUS1 cells in 40 minutes and the correct guard nodes were identified 5, 2, and 1 times respectively. We also used this approach to identify the guard nodes of the botnet hidden service. Note that in the attack described in this section an attacker can use just one middle node and send the traffic signature as a client. However it requires building rendezvous circuits which makes the attack longer. The same applies to the attack presented in section VI. VIII. DISCUSSION AND POTENTIAL COUNTERMEASURES We propose two countermeasures to make distributed storage of the hidden service descriptors more robust. The first of these prevents the directory authorities from learning the contents of hidden services descriptors they are serving. This prevents hidden services from harvesting descriptors to learn more onion addresses. Our second proposed change makes the position of the responsible hidden service directories in the directory fingerprint ring unpredictable for any hidden service. This removes the opportunity of targeting hidden service directories. Henceforth attackers can no longer precompute identity keys to target hidden services for popularity measurements and to deny service to them by selectively running relays with those keys. Harvesting can be easily prevented by making the descriptor-cookie authentication [15] mandatory for all hidden services and base32 encoding the value as part of the URL together with the permanent-id. The downside of this change is a significantly reduced usability: instead of 16 character onion addresses the user now has to deal with onion-addresses that are 42 characters long. In order to prevent adversaries from efficiently targeting hidden service directories we propose the following changes: For each hour, an unpredictable value is derived by the directory authorities from a shared secret. Three of these values are included in the consensus - one for each of the hours the consensus is valid. The unpredictable value valid for the hour of the request is then included in the calculation of the descriptor ID and henceforth determines the place on the ring where the descriptor is stored. This makes it impossible for an attacker to precompute identity keys for time periods further ahead than 3 hours in the future. Additionally, directory authorities base the decision on whether a relay is assigned an HSDir flag on the number of past consecutive consensus documents the relay has been listed in and not on the uptime of the relay. This prevents the shadowing attack we have described. To prevent the guard nodes being revealed, one can use an additional layer of guard nodes - guard middle nodes. This countermeasure has already been proposed in [19] but is not implemented in Tor. Note that this measure will not protect against an attacker exploiting degree anomalies of the guard nodes as described in Section B. Unfortunately, we do not see how the risk of guard nodes being able to deanonymize a hidden service having chosen them can be eliminated completely. Recent work by Tariq et al. [9] suggests that the guards compromise rate can be decreased by (1) making the guard rotation interval longer and (2) by taking into account how long nodes have been part of the network when assigning Guard flags to them. Note that this approach if not carefully implemented has a number of downsides like reduced end-user quality of experience and malicious nodes accumulating Tor users. In regard to revealing the introduction circuits, if the attacker will not be able to collect the full list of hidden service descriptors, she will not be able to distinguish between introduction circuit of hidden services with encrypted introduction points and non-encrypted.