Can not tell if you are trolling or just stubborn and retarded. I am really tired of trying to educate people about Tor today, particularly people who you would think would know better (not you, I don't expect you to know jack shit). Traffic analysis of Tor is not almost impossible. All you need to do to deanonymize a Tor user is be able to see traffic from them and/or to them enter and exit the network (or in the case of a hidden service, reach its final destination, the hidden service server). observing 6 packets at multiple points in the Tor network is more than enough to link them together, regardless of who sent them. This is true of all low latency networks that don't use some latency blending protocol like Alpha or Tau mixing. Actually, observation of a single packet at two points on a circuit is all that is required to break Tor anonymity: www.blackhat.com/presentations/bh-dc-09/Fu/BlackHat-DC-09-Fu-Break-Tors-Anonymity.pdf (Single cell is enough to break Tor's anonymity) although to be fair the author of that paper is just a sensationalist who pretty much re-invented the timing attack. Regardless, yes the attacker is the one who sends the packets in this attack. Remember, to deanonymize a Tor user you only need to observe traffic to them entering the network and arriving at them also. Well, if you send packets to a hidden service you can certainly watch them enter the network. Now all you need to do is watch them arrive at their destination! Okay, now the next part of the attack is being able to watch the packets reach the destination, in this case the hidden service. How to do this?!?! What you do is this. Every time you connect to a hidden service you tell it a rendezvous node to build a circuit to. A client can tell a hidden service to connect to as many damn rendezvous nodes as it wants, and the hidden service builds a new circuit to the rendezvous node. So what you do is add some nodes to the network, this is called a sybil attack and it is the basis for all other active attacks. Now you tell the hidden service to build an arbitrary number of circuits to an arbitrary number of rendezvous nodes. Each of these circuits consists of nodes selected from the Tor network. Now, since you own some of the nodes on the Tor network, and since you can force the hidden service to open as many new circuits as you want, eventually some of these newly created circuits are going to use nodes that you own! The only likely exception is the entry nodes of the hidden service, because it selects three nodes once every month to two months, and always enters traffic through these nodes if they are up. So unless it selects one of your nodes as its entry guards, it will never enter traffic through your nodes. Now from the client you send a stream of packets to the hidden service down all of the opened circuits you have built to it. You introduce a specific interpacket timing pattern to your stream and now you monitor at all of your Tor nodes looking for packet strems that fit this pattern. Once you detect the pattern at one of your sybil nodes you know that they are on the path to the hidden service. Now there are a few things you can do. First of all, you own the rendezvous node and every Tor node can see the IP address of its direct neighbors. So if you detect the pattern you introduce, the first thing you can do is see if the pattern came from the rendezvous node you selected. If it did, you know that the node that detected the pattern is the third node from the hidden service, which directly connects to the rendezvous. If it didn't you know that the node is either the middle node or the entry guard of the hidden service. If the node you detect the traffic pattern in forwards that traffic on to a known Tor relay IP address, but doesn't get the traffic from the rendezvous node, you know that the node you are sending traffic to is either the hidden service and that it is a Tor relay, or that it is one of the entry guards of the hidden service. If the node you detect the traffic pattern in doesn't get the traffic from the rendezous and forwards it on to an IP address that is not a publicly listed Tor relay, you know that you are either forwarding the traffic to the hidden services IP address and that you are one of its entry guards, or you know that you are sending the traffic to a bridge that the hidden service is using as an entry guard. Now there are a few things you can do if you determine that you may be the entry or middle node on the hidden services circuit. If you know you are either sending traffic to the hidden service IP or a bridge IP, you can try to make a bridge connection through the IP address and see if it treats it as a bridge connection. If it doesn't, you know it is the hidden services IP, if it does you know it is a bridge and the hidden service is using it as an entry guard. If you know you are the middle node and want to see if the hidden service is the relay you forward traffic on to or if it is an entry guard, there are a few things you can do. First of all, you can DDOS the node and see if there is a down time correlation between it being DDOSed and the hidden service going down. Or you can just keep doing the attack for a period of time and then use statistical analysis on the resulting dataset to come to a conclusion on if the hidden service is the relay or if the relay is an entry guard. In either case doing this attack will quickly trace either the hidden service, if you own one of its entry guards, or all of its entry guards, at which point you can order a trap and trace on it (via MLAT if required) to get its IP address. Or if you are not an attacker powerful enough to do legal passive analysis, there are plenty of other things you can try to do to get around the entry guard. You could try to hack the entry guards. You could simultaneously DDOS the entry guards forcing the hidden service to select three new ones, and keep doing this until you run out of bandwidth to DDOS with or the hidden service selects one of your nodes as an entry guard. Or you could locate the entry guard and illegally tap it. Or you could social engineer the person who runs the entry guard into giving you access to it. Or you could blah blah blah. Harder for an attacker who can't legally order passive monitoring, but not impossible. The thing is they can get a positive identification of the hidden services IP address before a single server is seized. Would you like to keep arguing with me and look more an more retarded with every post, or do you just want to admit that you were wrong (of course not, people like you never admit they are wrong they just get more and more retarded). Fair warning: I have been studying traffic analysis for several years now, if you have not then chances are you are not going to be proving me wrong. But by all means if you want to live in some fantasy world where Tor is super anonymous and totally impossible to pwn go right on ahead, you will be in good company with the vast majority of its users and probably 98% of the people who would bother trying to attack it if they thought it was even remotely possible. Unfortunately, you guys live in a fantasy world. As far as anonymity goes Tor is a toy, the real powerful networks barely ever get further than mathematic formulas and whitepapers , largely because they require significant time delays and everybody wants low latency.