Tor onion services rely on long-lived introduction circuits to support anonymous rendezvous between clients and services. Although Tor incorporates defenses against traffic analysis, the introduction protocol retains deterministic routing structure that can be exploited by an adversary. We present a practical intersection attack against Tor introduction circuits that over repeated interactions can identify each hop from the introduction point toward the onion service while requiring observation at only one relay per stage. The attack repeatedly probes the target service and intersects sets of destination IP addresses observed within narrowly bounded INTRODUCE1-RENDEZVOUS2 intervals, without assuming global visibility or access to packet payloads. Our traffic-analysis technique identifies with certainty the next relay in the path to target at each stage, thereby revealing a gap in Tor's privacy model, which is intended to resist traffic-analysis attacks in which an adversary uses traffic patterns to determine which points in the network to observe or attack. We evaluate the attack's feasibility through live-network experiments using a self-operated onion service and relays. To support data minimization, we implement a Tor-compatible plugin that computes intersections online over pseudonymized data retained only in volatile memory. Our experiments show reliable convergence in practice, with convergence rate influenced by relay consensus weight and time-varying background traffic. We further assess practicality under a partial-global adversary model and discuss the implications of geographic concentration in Tor relay selection weight across cooperating jurisdictions.

翻译：Tor洋葱服务依赖长期存在的介绍电路来支持客户端与服务之间的匿名会合。尽管Tor集成了针对流量分析的防御措施，但介绍协议保留了可被攻击者利用的确定性路由结构。我们提出了一种针对Tor介绍电路的实际交集攻击，该攻击通过重复交互能够识别从介绍点到洋葱服务的每一跳，而每个阶段仅需观测一个中继节点。攻击会反复探测目标服务，并在严格限定的INTRODUCE1-RENDEZVOUS2时间窗口内对观测到的目标IP地址集合进行交集运算，无需假设全局可见性或获取数据包载荷。我们的流量分析技术能够在每个阶段确定性地识别通向目标节点的路径中的下一跳中继，从而揭示了Tor隐私模型的一个漏洞——该模型本应抵抗那种攻击者通过流量模式确定网络观测或攻击点位的流量分析攻击。我们通过自营的洋葱服务和中继节点进行了实时网络实验，评估了该攻击的可行性。为支持数据最小化原则，我们实现了一个Tor兼容插件，该插件可对仅保留在易失性内存中的匿名化数据进行在线交集计算。实验表明该攻击在实践中能可靠收敛，收敛速率受中继共识权重和时变背景流量影响。我们进一步在部分全局敌手模型下评估了其可行性，并讨论了跨合作司法辖区中Tor中继选择权重地理集中的影响。