Largest DDoS In History Reaches 300 Billion Bits Per Second 450
An anonymous reader writes "The NYT is reporting that the Largest DDoS in history reached 300 Gbps. The dispute started when the spam-fighting group Spamhaus added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Millions of ordinary Internet users have experienced delays in services like Netflix or could not reach a particular Web site for a short time. Dutch authorities and the police have made several attempts to enter the bunker by force but failed to do so. The attacks were first mentioned publicly last week by Cloudflare, an Internet security firm in Silicon Valley that was trying to defend against the attacks and as a result became a target."
Watch your clauses, people! (Score:5, Informative)
The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam.
I think what they meant to say here was: "The dispute started when the spam-fighting group Spamhaus, which maintains a blacklist used by e-mail providers to weed out spam, added the Dutch company Cyberbunker to its blacklist."
Re:Watch your clauses, people! (Score:5, Funny)
A Slashdot editor Yoda has become.
Re:Watch your clauses, people! (Score:5, Funny)
I wish there was a smaller unit than bits. The headline would become more exciting!
Re:Watch your clauses, people! (Score:5, Insightful)
SI unit prefixes are readily available anytime you need them.
-femtobyte
Re: (Score:3, Funny)
Electrons. Quintillions of highly charged electrons running wild.
Re:Watch your clauses, people! (Score:4, Interesting)
I wonder if anyone can calculate the environmental impact of sending all those DDOS packets? Overall can it be claimed that spam and botnets are having an appreciable impact on the economy by wasting all that energy required to transmit all those pointless packets?
Re: (Score:3)
Re: (Score:3)
How about symbols?
Cubic Emoticons.
Re:Watch your clauses, people! (Score:4, Funny)
A Slashdot editor Yoda has become.
Edit or edit not; there is no try.
Re:Watch your clauses, people! (Score:5, Funny)
Edit or edit not; there is no try
On the edit-not side, the slashdot editors firmly are. Hmmm. Not give in to that side you must!
Re:Watch your clauses, people! (Score:4, Funny)
Edit or edit not; there is no try
On the edit-not side, the slashdot editors firmly are. Hmmm. Not give in to that side you must!
Ubi solitudinem editoriam faciunt, slashdotum appellant.
Re: (Score:3)
Re:Watch your clauses, people! (Score:5, Informative)
I came here to say this, and was all prepared to lambaste the summary, when I took the time to discover that the sentence is straight from TFA!
Great jorb, New York Times. And they wonder why newspapers are dying.
Re:Watch your clauses, people! (Score:4, Funny)
Shut up. The crosswords are still good.
Re:Watch your clauses, people! (Score:4, Funny)
Re:Watch your clauses, people! (Score:4, Informative)
Yes, its called Reverse path forwarding http://en.wikipedia.org/wiki/Reverse_path_forwarding [wikipedia.org] for this specific case you would want the unicast version (uRPF).
The concept boils down to a simple question,
"I just got a packet from A.B.C.D on interface ethX, if I had to send a packet to A.B.C.D would I use ethX?"
If the answer is yes, then the packet goes along its merry way. If the answer is no, then the packet is most likely spoofed and is dropped.
The performance impact is negligible as such lookups for the destination are already fully optimized by ASICs (hence a cisco 7600 with a measly 300Mhz processor can still route gigabit at wire speed), multi-path is a non-issue (assuming a non-brain dead implementation) as if multiple paths exist the answer to the question would still be yes as long as it came from one of the valid paths.
There might be valid reasons for asymmetric traffic which may prevent this from being universally deployed (say some satellite providers which only send download via satellite and upload is over something else) but for the vast majority of ISPs its safe to deploy.
At the ASN level each ISP is assigned a block of ips, if you are not a transit its a simple matter of just filtering to ensure nothing leaving your network is saying otherwise. Once you hit transit links both this scheme and RPF lose their power as depending on the failure almost any transit link can be a valid path. For such a scheme to work it has to be implemented as close to the end point as possible (which is the general structure of the Internet, intelligence sits near the edge where traffic volumes are reasonable, core is dedicated to just high speed movement of traffic).
Re: (Score:2)
Re:Watch your clauses, people! (Score:5, Informative)
Me neither, Netflix isn't even available for Dutch people.
Re:Watch your clauses, people! (Score:4, Interesting)
It doesn't.
The complaint is that the traffic resulting from the computers participating in the botnet that is behind this DDoS attack is sufficient, from wherever it is, to knock off legitimate use. As the bots can be anywhere, some are in the US. Those bots are causing grief for Netflix users.
Re: (Score:3)
And some of them speak Dutch!
Hence, Dutch Netflix users.
#NewspaperLogic
Re:Watch your clauses, people! (Score:5, Interesting)
Just a badly written article. The attack was a spoofed attack on DNS root servers (I think - badly written article) that reflected back toward Spamhaus. This would cause disruptions to DNS and to Spamhaus. By extension, the huge amount of traffic seems to be slowing down just about everything.
Don't know when this started, but I was watching Netflix on Monday and got 2 dots instead of my usual 4 and I'm in the Midwest US.
Re:Watch your clauses, people! (Score:5, Insightful)
Too spammy, too many words, blacklist twice: The dispute started when the spam-fighting group Spamhaus added the Dutch company Cyberbunker to its e-mail blacklist.
Removing words is like removing lines of code. Almost always makes it better.
Re:Watch your clauses, people! (Score:5, Funny)
Removing words is like removing lines of code. Almost always makes it better.
Removing ... words is like ... better
Bunker (Score:5, Funny)
Don't forget the power cord! (Score:3)
Re:Don't forget the power cord! (Score:5, Funny)
Cutting their communication lines was the first thing I thought of too. Then cutting their power lines. I may not have enough cofee in me to calm me down this morning but visions of the Dirty Dozen [wikipedia.org] dumping fuel and grenades into their bunker came to mind. }:D
If Carnival Cruise Lines have taught us anything, just back up their toilets. They'll be out in a jiffy.
Re: (Score:2, Interesting)
Re:Bunker (Score:5, Informative)
Re: (Score:2)
Re:Bunker (Score:5, Informative)
Re:Bunker (Score:4, Funny)
That picture is hilarious! Are those medieval shields?
This is the Netherlands. Those shields are made of weed. They are softer on the rioters, who cool down easier when this is used.
Re:Bunker (Score:5, Interesting)
You have obviously never seen the ME in operation; I have, it was not pretty. I especially liked the skill with which on of the mounted leant really low in the saddle to beat his stick on the heads of two women treating an unconscious man.
Re: (Score:2)
Heh, if true that is funny. I have some doubts as to the veracity of the story though, if a SWAT team wants in, in it is going to get. Unless the Dutch have them walking the beat or something and this is the SWAT equivalent of checking the doorhandles.
Re:Bunker (Score:5, Funny)
Re:Bunker (Score:4, Insightful)
If the SWAT team really wants to get in and has the backing of the local government, theyre going to get in. Break out some torches / thermal lances and go to work on the door.
Generally bunkers and other fortifications only work if you prevent combat engineers from going to town on the premises.
Re:Bunker (Score:4, Informative)
What materials exactly are they that are going to resist 4500 C cutting tools? You realize that a lot of bunkers are largely concrete, and that a thermal lance will go right through that, right? And that no bunker would completely withstand a nuclear blast-- it would take some damage, there is just sufficient material and the blast is sufficiently spread out that the bunker stands.
Once you start focusing with a lance on a bunker door, or break out a bunker-buster bomb designed to penetrate before exploding (rather than the mid-air explosion of a nuclear bomb), the bunker will fall.
Re: (Score:3)
Re: (Score:3)
Thermal lance.
The misconception here is that there are materials being used which can stand next to a nuclear blast and take no damage. Bunkers are generally concrete, and have doors; those can be breached by thermal lances (used in construction) and by strong explosives, or by bunker-buster bombs.
Re: (Score:3)
Re:Bunker (Score:4, Interesting)
All it takes to breach any bunker is a jackhammer. The big jackhammers mounted on heavy construction equipment eat through concrete and rebar with impressive speed - making a hole at several inches per minute.
Most concrete slabs can be removed by punching a few holes around the piece you don't like, then just knocking it a few times with the full weight of the excavator, shattering the concrete slab. If the bunker wall is a single concrete slab many feet thick, you'd just tamp some small explosives into the hole, remove a foot or so of concrete, then repeat.
Carving a roadway out of a granite cliff face is very low tech and well understood these days, and just making a hoe a few feet across in a thick concrete slab is in fact something that any construction demolitions company could do pretty easily with common equipment.
Re: (Score:3)
The bunker is meant to be self-sustaining for 10 years. The SWAT is not going to do a multi-year seige to get in there. So, yes, while they can't stay in there forever a SWAT would not breach it. Otherwise it would be worthless for its purpose.
So?
Cut the internet and maybe power connections, berm over the air handlers, and pave where applicable and forget about it.
I doubt the nerds inside have the capability of getting OUT from under a D9 created mound of debris.
When their parents call because junior hasn't been eating the hot pockets placed mommy the top of the basement stairs they'll figure out who is in there, and who to send the bill to.
Seriously though, if I were a CLEC or any other data provider I would have shut them off saying "breech
Re: (Score:3)
you do realize that a bullet proof vest doesn't work well against knives even though a bullet contains a lot more force than a typical knife attack.
a similar idea applies to this bunker. yes it can take a nuclear blast, however that doesn't make it indestructible by any means. any determined foe with direct access to the facilities will eventually get in. the main thing that makes the bunker nuclear proof is really thick concrete, and that is rather simple to break up, heck we do it every day on various
Re:Bunker (Score:4, Interesting)
How many 20 megaton bombs have been used, and how many bunkers would withstand one?
More to the point, what materials are being used, then, that will withstand a 4,500 C cutting tool for any appreciable length of time?
Re:Bunker (Score:4, Interesting)
A 1MT bomb will obliterate the blast door.
I dont know that there are any materials we have that are designed to resist a point-blank nuclear bomb; generally the solution is "throw more concrete at it".
Re: (Score:2)
Re: (Score:3)
It's really simple, hey judge can you issue an order to cut of there internet access. Sure. Hand order to there peers. No fiber need be harmed when you can just shut down the port at the far end.
That ass said I doubt that the traffic originates from cyberbunker they do not have 30 10ge connections.
Re:Bunker (Score:5, Insightful)
These Danish cyberbunker people seem to share a mindset with the U.S. Ruby Ridge crowd, and they're both wrong. Making yourself an immobile target and defying state power in a developed nation really only has two outcomes: either you're not enough of a nuisance to provoke action, or you get crushed.
Re:Bunker (Score:4, Insightful)
Ruby Ridge crowd? Uhhhmmmm - how many people were in that "crowd" that you refer to? And - the guy didn't make himself an "immobile target" exactly. That's just kinda sorta the thing that happens when you start raising a family. It's tough to raise kids on horseback, or in a Greyhound bus, or whatever.
https://en.wikipedia.org/wiki/Ruby_Ridge [wikipedia.org]
Three adults, one kid, versus a myriad of entangled government agencies.
Perhaps you're confusing Ruby Ridge with Waco? There was a real crowd in Waco.
Re: (Score:3)
Actually it does let them defy the government, it just comes at the cost of their lives. Whether that cost is acceptable is left as a judgement call to the citizen.
Re: (Score:3)
I'm sure can be defeated in time with civil engineering equipment.
You could ask those guys who bore railroad tunnels through the alps.
Re:Bunker (Score:5, Interesting)
Except that this bunker has an air reprocessing center. It's a whole underground complex, meant to house a part of NATO's command center in the event of a thermonuclear war.
On the other hand, cutting the network cable would indeed render the criminals inside nice and fluffy, with a self-inflicted prison sentence if they decide to refuse to go out. They already resisted police raids twice, including once by a SWAT team.
Re:Bunker (Score:5, Interesting)
I don't think those powerhungry air scrubbers are still online all the time.
And I surely hope that the Cold War independent energy source (probably a small nuclear reactor) was removed, so cutting power should simply work. As soon as the batteries drain, end of story.
But note that the whole SWAT story seems to have Cyberbunker as only source in the linked articles. I wouldn't take their (spamming ddosers they are) word for it.
The whole article regurgitates the vibe that CB wants to spin, it is not a factual description of reality. The main NATO HQ on Dutch soil used to be the Cannerberg (which could house government and parlement), while the said location afaik is only a minor relay station, and the spin seems to borrow facts from more major bases.
Re:Bunker (Score:5, Funny)
Re: (Score:3, Insightful)
Re: (Score:3)
The interesting and telling part from their site is that they didn't really resist the raid, they just didn't notice it.
Re: (Score:3)
Re: (Score:3)
The summary makes it sound like the Cyberbunker is a physical location. If so, a wire cutter should cut off it's access to the inter webs.
Interesting that people on Slashdot really think that the DDOS attack is being co-ordinated from hosts housed in the Cyberbunker hosting site. Are people really that out of touch with how botnets and DDOS attacks are managed?
And the perpetrator(s) are... (Score:2)
Re: (Score:3)
Noo...."Reeesearchers"!
Re: (Score:3)
More likely some mafiosi that controls malware and spambots, and their "clients" don't like a bunch of amateurs blocking their messages.
This is far more likely. Maybe if the kid rented it from a criminal enterprise, but i doubt some kid is in de facto control of such a vast swarm.
Re:And the perpetrator(s) are... (Score:5, Informative)
More likely some mafiosi that controls malware and spambots, and their "clients" don't like a bunch of amateurs blocking their messages.
DING DING DING
From the BBC article [bbc.co.uk]:
Spamhaus has alleged that Cyberbunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, is behind the attack.
from tfa: (Score:4, Insightful)
“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of CloudFlare. “It’s so easy to cause so much damage.”
relax dude, its just spam, not nuclear warfare. shut the computer off and go outside for a couple of hours.
Re: (Score:3)
It's just a comparison. With a nuclear war, the target may be destroyed, but there is always going to be collateral damage to innocent around the target. With this attack, it's very powerful (like a nuclear bomb) and it has affected many unrelated, innocent companies/users (like a nuclear bomb).
Shutting off the computer and going outside may work for John Q. Public when his favorite gaming server is experiencing high latency as a result. When your job is to consult to prevent or mitigate this specific att
don't RTFA (Score:5, Funny)
Re: (Score:2)
Old is new again (Score:5, Informative)
I find it very interesting that they are using a variation on the Old Smurf attacks for this. Sending a message to other places that work as an amplifier. You would think that after 10 years we would have learned that blind, unchecked, forwarding is not a good thing.
DNS amplification is still easy, BCP38 ignored (Score:3)
Unfortunately, too many DNS configurations can be used for amplification, because the responses are larger than the queries, especially if you've got new and interesting record types like DNSSEC, and too many ISPs still ignore the Best Current Practices #38 recommendation on blocking spoofed traffic. RPF is your friend.
There's some mitigation out there because the bigger response record types don't always fit in a single UDP packet, so DNS servers may handle them over TCP (which is harder to forge), and ma
Re: (Score:3)
I think his point is that the ISPs from where these packets originated should never have allowed those spoofed packets out. And the network backbone of that ISP should never have allowed those spoofed packets to reach the DNS servers. And so forth.
Excuse my naivety but (Score:5, Insightful)
With an operator no doubt facilitating illegal actions of their customers, and refusing to no doubt enfore court orders to disconnect their customers for said actions, couldn't a case be made to disconnect them from THEIR upstream providers because they are now acting illegally but not following court orders, presuming that their upstream providers follow court orders, and the upstream upstream until you get to a legitimate entity. It seems quite an shortcoming of the law that they can act with impunity while allowing their customers to bring down the very fabric of the world wide web.
Re: (Score:3, Interesting)
to disconnect them from THEIR upstream providers
That's about the start of the online war. Though disconnection was not by court orders, but by spamhaus' actions.
Years ago cyberbunker was already sending out spam. When spamhaus got sick of the actions of cyberbunker, they put A2B internet, the uplink for cyberbunker, on the blacklist in order to force A2B to disconnect cyberbunker. While cyberbunker should have been killed a decade ago, the A2B IP range affected did not send out spam. Spamhaus abused their power to force a (mostly) legal company to discon
Spamhaus reports, _users_ block (Score:5, Informative)
The different lists published by Spamhaus distinguish whether the IPs are directly responsible or are organizationally related. There is no abuse of power here — customers subscribe to the lists that they want, and use those lists to block as they see fit. Spamhaus isn't forcing anyone to use the lists, nor is it misrepresenting what's in the lists.
Alleged attempts to enter the bunker by force. (Score:5, Informative)
From TFA:
In other words: Cyberbunker is not currently under assault by police, and we have only their word that they ever have been. I suspect that at one time they were successful in having visiting cops think nobody was home by being real quiet and quickly turning off all the lights.
Re: (Score:2)
From the summary:
From TFA:
In other words: Cyberbunker is not currently under assault by police, and we have only their word that they ever have been. I suspect that at one time they were successful in having visiting cops think nobody was home by being real quiet and quickly turning off all the lights.
Why would you turn the lights off? It's very apparent visually, and confirms people are there. I'd leave them alone, people leave some lights on in their house... or bunker, even when absent.
Re:Alleged attempts to enter the bunker by force. (Score:4, Interesting)
Re: (Score:3)
You realize Cyberbunker is situated in a bunker designed to survive a nuclear war. It was designed to function independently for 10 years. Not sure how long that would work with the servers at full load,
Right up until someone cut comms with a multi-tool.
Fiber connections (Score:3, Insightful)
Well, I'd assume to be online they're probably going to have some sort of fiber-optic connection. Even if it's redundant, it's going to plug into the greater infrastructure somewhere and it shouldn't be *too* hard to sever if the police really had a mind to do so.
Re:Alleged attempts to enter the bunker by force. (Score:5, Informative)
You realize Cyberbunker is situated in a bunker designed to survive a nuclear war.
You don't have to kill them. Just unplugging their Internet connection would be enough, Then padlock the door and wait till they knock on it and ask to be let out. How long could that be? A week at the outside?
I don't believe the bullshit about then fending off SWAT teams anyway. That's what they say on their own website. No government really cares about spam enough to send in a SWAT team. It's all "protected commercial speech", and plenty of assholes in government are happy to let them do it. If they gave a shit, they know who is DDOSing and exactly where they are. They could arrest them. Freeze their bank accounts. Turn off their electricity, water. But they do nothing.
Important bit missing from a bad summary (Score:5, Interesting)
From TFA:
Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team.
The only mention of "Dutch authorities and police" comes from the Cyberbunker company itself. The article is badly written, so it's not completely clear (from the context) whether or this claim is related to the current dDOS the company is running. The writer doesn't appear to have talked to anyone in Holland - except perhaps the self-styled spokesman for Cyberpunker.
Cyberbunker fended off the Dutch SWAT? (Score:2)
Still not sure why authorities didn't break out the fiber seeking backhoe to solve this problem if that company is legitimately holed up in what sounds like a minor siege.
Re: (Score:2)
Here it is: http://cyberbunker.com/web/swat.php [cyberbunker.com]
Not sure what to make of this, doesn't directly sound like something that actually happened. But well, who knows.
Re: (Score:2)
Still not sure why authorities didn't break out the fiber seeking backhoe to solve this problem if that company is legitimately holed up in what sounds like a minor siege.
The evidence linking them to the attack is only circumstantial. Maybe they are responsible for the attack, maybe it was one of their clients. Either way, breaking the fiber won't make any difference.
Re: (Score:2)
Comment removed (Score:5, Informative)
Comment removed (Score:4, Informative)
Evidence? (Score:2)
So where is the evidence that Cyberbunker has anything to do with this?
I appreciate the things the Spamhaus people do, but they don't exactly have a spotless record when it comes to accurately pointing fingers.
Re: (Score:3)
So where is the evidence that Cyberbunker has anything to do with this?
I appreciate the things the Spamhaus people do, but they don't exactly have a spotless record when it comes to accurately pointing fingers.
Did you read the article? If you did you would have spotted this:
Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for “abusing their influence.” “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said. “They worked themselves into that position by pretending to fight spam.”
Re:Evidence? (Score:5, Interesting)
Item 1: The DDOS began after Cyberbunker IPs were added to the black lists.
Item 2: Cyberbunker have a policy saying that they won't look at your servers and don't care what you do. Pretty much a green-light for spammers.
Item 3: The internet activist stating that the DDOS is in response to the blacklisting.
The circumstantial evidence points towards the attacks as being the result of the action Spamhaus took with respect to Cyberbunker. Its unlikely to be the company themselves, but rather at the instigation of one of their customers. The interesting thing is that you can find reports from 2011 (http://www.theregister.co.uk/2011/10/20/spamhaus_a2b_row/) where Spamhaus say that Cyberbunker were on the blacklist then with no prospect of being removed. What has happened in the meantime?
Re: (Score:3)
Pfft. Amateurs (Score:5, Interesting)
While the bunker itself is designed to withstand a nuclear blast, the doors are the weak point.
A thermal lance can cut through the door while also able to make a nice hold in the concrete walls into which explosives of various types can be implanted.
As others have said, cut the communication and electrical lines and let them fend for themselves. They may have food and fuel, but they can't last forever.
On second thought, cut the electricity and communication, then pile tons of rubble in front of the doors to prevent them from coming out once they exhaust their supplies.
Re: (Score:3)
Um what?
Are you proposing that polive forces upgrade to being full armies in order to "pacify" non violent people who aren't even aware of police presence?
It's not even like the people in the bunker were resisting arrest or anything. They had no idea the police were even there.
better articld (Score:5, Informative)
http://bbc.co.uk/news/technology-21954636 [bbc.co.uk]
No b/s subscription paywall nonsense
Spamhaus and the spam problem (Score:5, Interesting)
From TFA:
“Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said. “They worked themselves into that position by pretending to fight spam.”
I'd rather not have to consult Spamhaus blacklists on my mail servers to block incoming email. I know that if I removed it my bandwidth would be clogged and the amount of work done by my servers to deal with spam would increase many fold. So I use Spamhaus blacklists and it makes me feel dirty. It's the wrong solution to the problem of spam. Surely we should be able to come up with something better.
Spamhaus has been going for 15 years. Look at the other technological advances in that time why don't we have an effective, agreed upon, resolution to the problem of spam? Perhaps the best thing would be for Spamhaus to shut up shop, to stop providing the DNS lists. For mail servers to stop filtering and marking the spam. Let the size of the problem manifest itself. Perhaps then we will get a concerted effort to stop it rather than mitigate the impact.
Re: (Score:3)
The answer is to get rid of email and replace it with something secure. The problem is, no one has stepped up to try it. Google Wave had promise in this area. Texting and instant messaging have chipped away at it a bit, but nothing has come out and replaced it.
Email needs end to end encryption along with built in spam prevention. It needs to look and feel like it does now but with all the changes made on the backend as to make the transition for end users seamless.
Why would anyone think cutting comms would help? (Score:5, Insightful)
IF its a DDOS, then losing control of the stupid little robots will not make it stop, they will just be unstoppable. If you want to prevent DDOS, then you need to force ISPs to perform egress filtering of source addresses that are outside of their network. And also implement a choke protocol to inform the ISPs that they have a bad actor on their network.
Re: (Score:3)
Re: (Score:3)
The Russian Wikipedia page states it has water and fuel for 10 years. I give them 10 days before cabin fever sets in.
Re: (Score:3)
This whole idea that they're impregnable is nonsense. There are cutting tools that will go through blast doors and concrete, and you can be sure that a determined SWAT team has access to them.
"Designed for nuclear war" doesnt mean you can just sit inside and not defend the premises as a demolition team goes to work on it, it just means it has some degree of resistance to a nuclear blast.
Re: (Score:3)
There are drilling machines that will bore railroad tunnels and 4-lane highways through granite.
Re: (Score:3)
Re: (Score:3)
It would only hold up for ten years if it was not surrounded and under sustained attack. Yes, it could possibly take a glancing hit from a nuke, but no, it would not stand up very long to some guys with drills and normal demolition charges who had the time to simply drill, demolish or undermine the complex. It would only serve as a fortress hard point if the people inside were armed and there was some hope that allied forces could relieve them in a reasonable amount of time.
And of course, as a way of prot