Hackers shut down East Timor Internet addresses

A concerted attack involving simultaneous hacking from five countries caused an Irish Internet Service Provider (ISP) to switch off its systems last month. Connect-Ireland, the company affected, believes the Indonesian government is behind the attack.

The company has hosted the East Timorese domain--.tp--for the last year and posts material critical of Indonesia's occupation of East Timor. The small Dublin-based company originated from the TOPPSI BBS (Bulletin Board Service) launched by Brian Lenihan in 1990. It was responsible for creating the first community network in Europe, offering cost-effective communications. Connect-Ireland was set up in January 1995. As well as providing Internet services, the company also maintains a number of databases, one of which deals with East Timorese issues.

In late 1997, the Dublin ISP registered .tp as a top level domain in what they described as a gesture in support of exiled East Timorese leaders Ramos Horta and Bishop Belo, who won the Nobel Peace Prize in 1996 for their protest at the Indonesian occupation of East Timor.

"We noticed that the East Timor domain was available and assumed that the Indonesians would not wish to register it for political reasons. We made a suggestion to the East Timor Campaign and they were interested, so we set up the first virtual country on the Web as a platform for the East Timorese," said Martin Maguire, project director at Connect.

After being forced to suspend its services to 3,000 users in order to deal with a breach of its server security, the company has lodged a formal protest with the Indonesian embassy. Connect-Ireland estimate that the computer break-in has cost the company £18,000 initially, but anticipate the cost rising to £60,000 (Irish punts) as it plans to compensate its customers for the disruption to services with one months' free service.

Messages of support and offers of help from hackers and security specialists throughout the world flooded into the offices of Connect, where Linux programmers worked round the clock installing two new servers. Among 400 e-mails was an offer of help from the German hacker group, the Chaos club, and US security specialists IIS offered free software.

Connect's servers had been subjected to increasingly sophisticated attacks over a nine-month period. "They ran port-scanning software to build up a picture of our network. For a long time they tried a buffer-overflow attack on our daemon [application running permanently on the computer], but that didn't work. Once they got in they uploaded a whole bunch of software to make sure they could get in again", said network administrator Niall Cosgrove.

Cosgrove said that every machine had been compromised and that the attacks had originated from many different sources, with spoofed Internet addresses.

It is possible to administer a patch in such cases rather than change the entire system, but as a top level domain guardian Connect-Ireland have specific responsibility to ensure that its services cannot be used as a basis for attacks on other systems. They therefore decided to install entirely new equipment. The company appealed for help in tracing the attacks, but said that some ISPs were not very responsive. Discussions are currently under way among both UK and European wide ISPs to draw up a code of practice for dealing with hackers.

In an apology for lack of services, Connect-Ireland said the highly organised attack seemed to be aimed at stopping the East Timor Project. "We are not calling these people hackers or cyber-terrorists, but E-nazis, because anybody who behaves in such a way is jackbooting on people's right to free communications. Whether they are an individual, a company or a government does not matter."

A spokeswomen for the Indonesian embassy in London denied speculation that the Indonesian government was behind the attack. "How could we organise all those hackers? It is baseless," she said.

Connect Ireland says the Indonesian government is extremely antagonistic towards the East Timor Project's use of the web. McGuire said that they had tracked 18 separate simultaneous attacks that appeared to originate in the US, Japan, Canada, Australia and the Pacific island of Nauru. "We don't think this is the work of a spotty teenager."