Online anonymity and privacy has been based on confusing the adversary by
creating indistinguishable network elements. Tor is the largest and most widely
deployed anonymity system, designed against realistic modern adversaries.
Recently, researchers have managed to fingerprint Tor’s circuits — and hence
the type of underlying traffic — simply by capturing and analyzing traffic
traces. In this work, we study the circuit fingerprinting problem, isolating it
from website fingerprinting, and revisit previous findings in this model,
showing that accurate attacks are possible even when the application-layer
traffic is identical. We then proceed to incrementally create defenses against
circuit fingerprinting, using a generic adaptive padding framework for Tor
based on WTF-PAD. We present a simple defense which delays a fraction of the
traffic, as well as a more advanced one which can effectively hide onion
service circuits with zero delays. We thoroughly evaluate both defenses, both
analytically and experimentally, discovering new subtle fingerprints, but also
showing the effectiveness of our defenses.