Back to Guides
Security & ProtectionAdvanced

DDoS Protection Setup for Minecraft Servers

Protect your server from distributed denial-of-service attacks with proxy services, firewall rules, and best practices.

Blockhead Support Team
15 minutes
DDoS attacks can make your server unavailable to legitimate players. This guide covers multiple layers of protection to keep your server online.
1

Understanding DDoS Attacks

Learn how DDoS attacks affect Minecraft servers:

Common Attack Types:

  • Layer 3/4 attacks: Flood server with network traffic
  • Layer 7 attacks: Overwhelm with Minecraft protocol requests
  • Botnet attacks: Many fake players joining simultaneously
  • Amplification attacks: Exploiting server responses
  • Slowloris: Keeping connections open to exhaust resources

Attack Symptoms:

  • Server becomes unreachable
  • Extreme lag for all players
  • Console spam with connection attempts
  • High bandwidth usage
  • CPU/Memory spikes
DDoS protection cannot stop all attacks, but it significantly reduces their impact and filters most common threats.
2

Use a Proxy Service

Hide your server's real IP behind a proxy:

Popular DDoS Protection Services:

  • TCPShield: Free tier available, easy setup
  • Cloudflare Spectrum: Enterprise solution
  • DDoS-Guard: Gaming-focused protection
  • Path.net: Global network protection
  • OVH Game DDoS Protection: Built into OVH hosting

TCPShield Setup Example:

  1. Sign up at tcpshield.com
  2. Add your backend server IP
  3. Configure DNS to point to TCPShield
  4. Install TCPShield plugin on server
  5. Enable "Only allow TCPShield IPs"
3

Configure Firewall Rules

Set up server-side firewall protection:

IPTables Rules (Linux):

# Rate limiting for new connections iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP # Limit concurrent connections per IP iptables -A INPUT -p tcp --syn --dport 25565 -m connlimit --connlimit-above 3 -j DROP # Drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Windows Firewall Setup:

  1. Open Windows Defender Firewall
  2. Create inbound rule for port 25565
  3. Set connection limit per IP
  4. Enable logging for dropped packets
4

Implement BungeeCord/Velocity

Use a proxy to add protection layers:

Proxy Benefits:

  • Hide backend server IPs
  • Distribute load across multiple servers
  • Central point for security plugins
  • Connection throttling capabilities

Velocity Configuration:

# velocity.toml [advanced] connection-timeout = 5000 read-timeout = 30000 login-ratelimit = 3000 [query] enabled = false # Disable direct connections to backend [servers.lobby] address = "127.0.0.1:25566" restricted = false
5

Install Anti-Bot Plugins

Add server-side bot detection and filtering:

Recommended Anti-Bot Plugins:

  • AntiBot (Bukkit/Spigot): Detects and blocks bot attacks
  • BotFilter (BungeeCord): Advanced bot detection
  • EpicGuard: Multi-platform protection
  • ExploitFixer: Patches various exploits
  • LimitedCreative: Prevents crash exploits

AntiBot Configuration:

# Enable protection modules accounts-firewall: true connection-throttle: true first-join-check: true # Detection settings max-connections-per-ip: 3 connection-time-threshold: 1000 ping-threshold: 500 # Action on detection kick-message: "Connection throttled"
6

Optimize Server Settings

Configure server to handle attacks better:

server.properties Optimizations:

# Reduce view distance during attacks view-distance=6 # Lower network compression threshold network-compression-threshold=512 # Disable query to prevent amplification enable-query=false # Limit player count max-players=100 # Faster timeout for dead connections player-idle-timeout=300

spigot.yml/paper.yml Settings:

# Connection throttling connection-throttle: 4000 # Limit packets max-packet-rate: 500.0 # Disable certain features disable-saving: false bungeecord: true
7

Set Up Monitoring

Detect attacks early with monitoring tools:

Monitoring Solutions:

  • Grafana + Prometheus: Real-time metrics dashboard
  • Zabbix: Network and server monitoring
  • UptimeRobot: External availability monitoring
  • Server logs: Analyze connection patterns

Key Metrics to Monitor:

  • Network bandwidth usage
  • Connections per second
  • Unique IPs connecting
  • Failed authentication attempts
  • Server TPS and response time

Simple monitoring script:

#!/bin/bash # Monitor connections to Minecraft port netstat -an | grep :25565 | wc -l > /tmp/mc_connections.log # Alert if connections exceed threshold if [ $(cat /tmp/mc_connections.log) -gt 200 ]; then echo "Possible DDoS attack detected" fi
8

Create Response Plan

Prepare procedures for when attacks occur:

During an Attack:

  1. Enable whitelist temporarily
  2. Reduce server view-distance and max-players
  3. Contact hosting provider for help
  4. Enable stronger firewall rules
  5. Collect evidence (logs, IPs)
  6. Communicate with players via Discord/website

Post-Attack Actions:

  • Analyze logs to identify attack patterns
  • Update firewall rules based on attack
  • Report attack to authorities if severe
  • Improve protection based on lessons learned
  • Document incident for future reference
9

Best Practices

Maintain long-term DDoS resistance:

  • Never share real server IP: Always use proxy/protection service
  • Regular backups: Prepare for worst-case scenarios
  • Stay updated: Keep all software and plugins current
  • Community management: Ban troublemakers quickly
  • Multiple layers: Combine different protection methods
  • Test your defenses: Simulate attacks in controlled environment
  • Have a backup server: Redirect players during attacks
Effective DDoS protection requires multiple layers. No single solution is perfect, but combining these methods provides strong defense against most attacks.

Need More Help?

Our support team is available 24/7 to help with any Minecraft server issues.

Contact SupportView Hosting Plans