Tor is the most popular and well-researched low-latency anonymous communication network provides sender privacy to Internet users. It also provides recipient privacy by making TCP services available through “hidden service”, which allowing users not only to access information anonymously but also to publish information anonymously. However, based on our analysis of the hidden service protocol, we found a special combination of cells, which is the basic transmission unit over Tor, transmitted during the circuit creation procedure that could be used to degrade the anonymity. In this paper, we investigate a novel protocol-feature based attack against Tor's hidden service. The main idea resides in fact that an attacker could monitor traffic and manipulate cells at the client side entry router, and an adversary at the hidden server side could cooperate to reveal the communication relationship. Compared with other existing attacks, our attack reveals the client of a hidden service and does not rely on traffic analysis or watermarking techniques. We manipulate Tor cells at the entry router to generate the protocol-feature. Once our controlled entry onion routers detect such a feature, we can confirm the IP address of the client. We implemented this attack against hidden service and conducted extensive theoretical analysis and experiments over Tor network. The experiment results validate that our attack can achieve high rate of detection rate with low false positive rate.