When you connect through Tor, your traffic hops through three volunteer-run relays before reaching the open internet: an entry (or guard) relay that sees your real IP address, a middle relay that sees neither end, and an exit relay that sees your destination but not you. No single relay sees both who you are and what you are doing. That is the whole point of the design.
The obvious way to pick those relays would be to shuffle the deck every time and choose all three at random. For the middle and exit positions, that is roughly what Tor does. For the entry position, it deliberately does not. Understanding why means looking at what happens when you repeat a small gamble thousands of times.
The problem with picking a fresh entry every time
Suppose a well-resourced adversary runs a modest fraction of the Tor network, say one percent of relay capacity. If you chose your entry relay fresh for every circuit, then on any given circuit there is a one percent chance your entry belongs to the adversary. That sounds tolerable. It is not, because you do not build one circuit. Tor rotates circuits every few minutes, so a heavy user builds thousands of them a month.
Repeat a one percent gamble often enough and a rare event becomes a near certainty. Over thousands of circuits, the probability that the adversary lands in your entry position at least once climbs toward one. And the entry relay is the sensitive one: it sees your real IP. If the same adversary also happens to observe your destination, through a malicious exit or through network-level monitoring, they can attempt to correlate the two ends and deanonymize you. Cycling entry relays constantly does not spread the risk. It guarantees you eventually roll the bad number.
Rotating the entry relay does not reduce exposure to a malicious relay. It maximizes it, because every new draw is another chance to pick a hostile one. The safer move is to draw once, carefully, and stay put.
What a guard actually does
A guard is an entry relay that Tor selects once and reuses for an extended period. Modern Tor uses a single guard by default and keeps it for a randomized lifetime measured in weeks to a couple of months before rotating to a new one. The relays eligible to be guards are a subset flagged by Tor's directory authorities as stable and high-uptime, since a guard you keep for weeks needs to actually stay online.
The logic is a bet on odds. If your one guard is honest, you are safe at the entry position for its entire lifetime, no matter how many circuits you build. If your one guard is hostile, you are exposed for that whole lifetime. So the design concentrates the risk into a single yes-or-no question asked rarely, instead of spreading it across thousands of independent draws. With an adversary controlling one percent of guard capacity, roughly one percent of users draw a bad guard and the other ninety-nine percent are protected for the full period. That is a far better outcome than near-everyone eventually touching a hostile relay.
This reasoning traces back to research on what are called predecessor attacks, where an adversary who repeatedly appears adjacent to a target across many connections can gradually infer the target's identity. Sticking to a fixed guard removes the repetition the attack depends on. The Tor Project moved from a rotating pool of three entry guards toward a single, longer-lived guard as this analysis matured.
Guard discovery and onion services
Guards protect the client, but they also become a target. If an adversary can figure out which guard a particular Tor user or onion service depends on, they can attack that one relay directly: knock it offline to force a rotation onto a relay they control, monitor it, or pressure whoever operates it. This is called a guard discovery attack, and it is especially relevant to onion services, which build many long-lived circuits and so give an adversary more opportunities to probe their path selection.
Tor's answer is layered guards. Instead of a single hop the adversary can isolate, an onion service places additional pinned relays deeper in its circuits, so that discovering the outermost relay does not reveal the real guard closest to the service. A defense of this kind, historically shipped as the Vanguards add-on and later folded into Tor itself, widens the gap an attacker must cross between spotting a relay and reaching the machine that matters.
Anonymity is not about making every choice random. It is about making the dangerous choices rarely and deliberately, so an attacker gets fewer chances to be in the wrong place.
What this means for you as a user
For everyday Tor Browser use you do not need to configure any of this. Guard selection is automatic and the defaults reflect years of analysis. But the concept is worth carrying with you, because it corrects a common intuition. More randomness and more rotation feel safer. In this case they are not, and knowing why sharpens how you reason about anonymity in general.
- Do not force guard rotation. Clearing your Tor state to get a fresh guard resets the careful bet in your favor to a fresh coin flip. Let guards persist as designed.
- Guards do not defend against a global observer. An adversary who can watch traffic at both ends of the network can still attempt correlation. Guards reduce how often a relay-running adversary reaches your entry position; they do not solve traffic analysis at the network layer.
- Bridges are guards too. If you use bridges to reach Tor in a censored network, your bridge plays the guard role, with the same stick-with-it logic.
The pattern behind the pattern
Guard nodes are a small piece of Tor, but they teach a general lesson about designing under uncertainty. When you cannot eliminate a risk, you get to choose how it is distributed. You can smear it thinly across many events, which feels fair and turns out to make the bad outcome nearly certain over time. Or you can concentrate it into a single rare decision, accept that a small minority draws the short straw, and protect the large majority completely. Tor chose the second shape on purpose. It is the same instinct that shows up whenever a system has to survive an adversary it cannot see: reduce the number of moments where a wrong guess is fatal.