I hear people claim that attacks against Tor are only theoretical but I never quite understood this idea. Many of the theoretical attacks against Tor have been carried out against the live Tor network with success. For example, certainly timing attacks have been proven to work against Tor. This new attack is simply a timing attack in which the attacker positions themselves at the HSDIR and hopes to own one of the clients or hidden services entry guards. From the quote I have read here on the first page of posts, it seems like the researchers are taking the wrong angle when approaching this method of attack. If the hidden service has a bad entry guard it can be deanonymized by the owner of the entry guard so long as the entry guard owner knows the .onion address. It seems the researchers are enumerating hidden service .onion addresses and then carrying out a trivial timing attack to see if one of their entry guards was selected by any of the hidden services. This is interesting, but many of the interesting hidden services are already public knowledge, in which case the attack is a simple timing attack that has already been in literature for many years. I think that more importantly, this attack allows the attacker to position themselves such that they only need to own the entry guard of a client connecting to a hidden service in order to deanonymize the client. The client connects to a HSDIR that is attacker controlled, so the attacker has half of a timing attack, if the clients utilized entry guard is also attacker controlled then the attacker can link the client to the hidden service. That is a bit more interesting, it is nothing really ground breaking though. It is also clearly not simply a theoretical attack, and indeed it could be easily carried out against the live Tor network, the only issue is owning the entry guard utilized by the connecting client, which is the hard part. I imagine that for the most part the Tor developers will say 'meh' about this paper. None of this is really new, except for perhaps the ability for an attacker to become the HSDIR of arbitrary hidden services. Entry guards protect from this attack to the extent that they can, and we are left again with what is essentially trusting a single hop proxy.