They are not drained of bandwidth but they have their CPU overwhelmed from all the crypto operations they need to do. Rendezvous points are from a much larger set of total nodes and each client connecting to a hidden service selects its own. The introduction points are from a small set of nodes and each client connecting to the hidden service uses a node from the same set. There are people who run relays putting in support tickets asking why their CPU usage suddenly jumps up to almost 100% and right now the answer is that they are probably selected as introduction points by popular hidden services. https://trac.torproject.org/projects/tor/ticket/3825 There have been many bugs related to popular hidden services (they tend to have poor reachability), several have to do with introduction points being overloaded. They have been working on these issues for a long time now and making improvements, but there are still recent reports of Tor relays being essentially totally drained of CPU processing power, and when this happens they cannot continue acting as introduction points. I am not sure the current status of this group of bugs, but I believe it still causes rapidly changing introduction points. Your mistake is thinking that the DDOS is from bandwidth being overwhelmed instead of CPU. There are plenty of tickets related to introduction points being DDOSed I suggest reading up on the issue if you are interested in its current status. You do have a good point though, that clients already connected to the hidden service when an attacker gains control of the introduction point have nothing to worry about. But while an attacker owns the introduction point, all new connections to the hidden service though that introduction point are susceptible to timing attacks (provided the attacker also can observe entry traffic from the connecting client). So assuming new introduction points are selected every ten minutes, that is still roughly the same level of protection from timing attacks as connections to clearnet. I have no idea how many people connect to the silk road market at the same time, or if this forum is on the same server for that matter, but hundreds of people connect to here at the same time. I wouldn't be surprised if over a thousand people connect to the main market at the same time, although I never go there so who knows. I do know it has been linked to from several news websites though, and that it has many more registered users than the forums do, so I imagine it is more active than the forums are. If there are 100 clients and 3 introduction points, assuming equal distribution for ease of example, each introduction point needs to handle cryptographic operations for roughly 33 clients. The clients all have three entry guards and use one per connection, so it is entirely possible that none of the 100 clients share an entry guard used to connect to the introduction points. I do see your point about the HS entry guards though, as they will need to handle just as many create cells on average as the introduction nodes, assuming that all attempts to access the hidden service are successful. Unfortunately, attempts to access hidden services are not always successful. When clients fail to establish a connection to the HS , they try again and again building new circuits to the introduction nodes, but not having their sent data make it all the way to the hidden services entry guards. The entry guards for the hidden service will handle 33 circuits in the mentioned scenario, whereas the introduction points may need to handle dozens of circuits for each of the connecting clients that try and repeatedly fail to use them. Last I read about this rransom was working on a fix to stop clients from repeatedly spamming the intro points, but I don't believe he ever perfectly fixed it because I still see my Tor opening dozens of failed circuits when it tries to connect to a hidden service that currently appears to be down to it. Does anyone else still see this behavior ? Also currently it looks like hidden services use up to ten introduction nodes. When one introduction node is overwhelmed and cannot process the users connection in a timely manner, Tor rips down the circuit and tries another introduction node. So assuming there are ten introduction nodes and they are all overwhelmed, that means a connecting client will establish at least ten circuits to ten different potentially attacker controlled nodes. If they continue doing this over a period of say thirty minutes, and the introduction nodes rotate every ten minutes and are quickly overwhelmed, that would translate into up to thirty different attacker controlled introduction nodes being accessed in a period of 30 minutes, or one per minute. This may be a worst case scenario, but I have had periods of time where I can not establish a connection to the forums for half an hour or longer because of overwhelmed introduction nodes (made clear by the fact that Tor opened dozens of circuits that all failed, and the fact that people were still able to access the forum if they had an active rendezvous point, so it was not down). That could be roughly equivalent to using a new exit node once every minute to access clearnet sites.