Is it possible that law enforcement discovers illegal onion services through internet exchange points?
law enforcement agencies around the world could monitor internet traffic at internet exchange points and when they discover and IP address that has persistent Tor connections temporarily cut all connections to it and than check if this causes any of the illegal onion services to go down.
I don’t think is that simple.
AFAIK the attacker can’t easily differentiate a connection exiting an onion service and any other long term Tor connection like the ones between two relays. So if they cut down a connection and see the onion site going down it doesn’t mean they have the IP address of the onion site, they could have the IP address of any of the relays on the path of the onion site. Also onion sites do create multiple paths, cutting down one of them might not produce the onion site to go down for you.
Take into account that there are thousands of onion sites, and most of them are not serving illegal content. The law enforcement can’t go around shutting down everything they see hopping to hit an illegal onion address as they will disturb the legit access to Tor for many people and the chances of hitting what they are looking for is pretty low.
Another story is if the attacker does already have an IP address that for some other reason they believe is hosting an onion service. Shutting down all the connections to this IP address might be used to check if their believe is true. But they can not use this mechanism to discover onion services.
AFAIK the attacker can’t easily differentiate a connection exiting an onion service and any other long term Tor connection like the ones between two relays. So if they cut down a connection and see the onion site going down it doesn’t mean they have the IP address of the onion site, they could have the IP address of any of the relays on the path of the onion site.
They can easily check the if the IP address is a known Tor relay.
Take into account that there are thousands of onion sites, and most of them are not serving illegal content. The law enforcement can’t go around shutting down everything they see hopping to hit an illegal onion address as they will disturb the legit access to Tor for many people and the chances of hitting what they are looking for is pretty low.
Is there a law that forbids them to temporarily disrupt network for the purpose of fighting crime?
From Talk about onions:
In contrast to running a Tor relay, running a Tor Onion Service does not result in your IP address being publicly listed anywhere, nor does your service relay other Tor traffic.
An onion service on the Tor network behaves like any other Tor clients. And there are between 2 to 8 million users connected on Tor every day. Plus ~600k v3 onion addresses. You see, things can get more complicated when analyzing in the real world.
Depends on which country and what do you mean by “temporarily disrupt network”.