I've Seen This IP: A Practical Intersection Attack Against Tor Introduction Circuits and Hidden Services
Nicolas Constantinides
TL;DR
A practical intersection attack on Tor introduction circuits that can, over repeated interactions, identify each hop from the introduction point toward the onion service while requiring observation at only one relay per stage is described.
Abstract
Tor onion services rely on long-lived introduction circuits to support anonymous rendezvous between clients and services. Although Tor includes some defenses against traffic analysis, the introduction protocol retains deterministic routing structure that can be leveraged by an adversary. We describe a practical intersection attack on Tor introduction circuits that can, over repeated interactions, identify each hop from the introduction point toward the onion service while requiring observation at only one relay per stage. The attack issues repeated probes and intersects destination IP address sets observed within narrowly defined \texttt{INTRODUCE1}--\texttt{RENDEZVOUS2} time windows, without assuming global visibility or access to packet payloads. We evaluate feasibility with live-network experiments using a self-operated onion service and relays, and we follow data-minimization and ethical safeguards throughout. The results show reliable convergence in practice, with the rate affected by consensus weight, and time-varying background traffic. We also assess practicality under a partial-global adversary model and discuss implications in light of the geographic concentration of Tor relay weight across cooperating jurisdictions.