If the hidden service is not on a Tor server, and there is no other
way for the attacker to build a list of candidates to ping, then the
attack becomes a lot harder.
Yes, this is what we observed too; but found nothing about this in
the FAQ
on hidden services and the default tor config is not set up to permit
this configuration without
hackery.
Likewise [not in reference to hidden servers], it is better for Tor
to use a different outbound
address to inbound, since the ORport addresses are published globally
by Dirservers. Also
not mentioned to my knowledge.