Tor's hidden services provide both sender privacy and recipient privacy to users. A hot topic in security of Tor is how to deanonymize its hidden services. Existing works proved that the recipient privacy could be revealed, namely a hidden server's real IP address could be located. However, the hidden service's circuit is bi-directionally anonymous, and the sender privacy can also be revealed. In this letter, we propose a novel approach that can transparently discover the client of the hidden service. Based on extensive analysis on the hidden service protocol, we find a combination of cells which can be used to generate a special traffic feature with the cell-padding mechanism of Tor. A user can implement some onion routers in Tor networks and monitor traffic passing through them. Once the traffic feature is discovered, the user confirms one of the controlled routers is chosen as the entry router, and the adjacent node is the client. Compared with the existing works, our approach does not disturb the normal communication of the hidden service. Simulations have demonstrated the effectiveness of our method.

Tor is the most popular and well-researched low-latency anonymous communication network provides sender privacy to Internet users. It also provides recipient privacy by making TCP services available through “hidden service”, which allowing users not only to access information anonymously but also to publish information anonymously. However, based on our analysis of the hidden service protocol, we found a special combination of cells, which is the basic transmission unit over Tor, transmitted during the circuit creation procedure that could be used to degrade the anonymity. In this paper, we investigate a novel protocol-feature based attack against Tor's hidden service. The main idea resides in fact that an attacker could monitor traffic and manipulate cells at the client side entry router, and an adversary at the hidden server side could cooperate to reveal the communication relationship. Compared with other existing attacks, our attack reveals the client of a hidden service and does not rely on traffic analysis or watermarking techniques. We manipulate Tor cells at the entry router to generate the protocol-feature. Once our controlled entry onion routers detect such a feature, we can confirm the IP address of the client. We implemented this attack against hidden service and conducted extensive theoretical analysis and experiments over Tor network. The experiment results validate that our attack can achieve high rate of detection rate with low false positive rate.