FiveM DDoS protection: how to keep
your GTA server online

Back to Blog

Why FiveM Servers Get DDoS'd Constantly

If you run a FiveM server, you have either been DDoS'd already or you will be soon. FiveM sits at the intersection of every factor that makes a server an attractive DDoS target. The community is competitive, the infrastructure is exposed, and the tools to attack are cheap and widely available.

Competitive RP communities. FiveM roleplay servers are intensely competitive. Server owners compete for players, and player counts directly determine revenue from donations, Tebex stores, and priority queue access. Taking a rival server offline for even 30 minutes during peak hours pushes players to your server instead. This creates a direct financial incentive for attacks that does not exist in most other gaming communities.

Grudge attacks. FiveM communities are tight-knit, and conflicts between players, staff members, and server owners are common. A banned player, a fired admin, or a disgruntled former developer may retaliate by DDoS'ing the server. These grudge attacks are often sustained over days or weeks because the motivation is personal, not financial.

Booter services make it trivially cheap. DDoS-for-hire services (booters or stressers) cost as little as $10-20 per month and require zero technical skill. A 15-year-old with a PayPal account can purchase enough attack capacity to take down most unprotected FiveM servers. The barrier to entry is effectively zero, which means every minor community dispute can escalate into a DDoS attack.

Server IPs are publicly visible. When you add your FiveM server to the cfx.re server list, your IP address and port are broadcast to every potential player and every potential attacker. Anyone can open the server list, find your server, and read your IP directly. There is no CDN or proxy sitting between the attacker and your server. You are one connect command away from revealing your exact network address.

Low-budget hosting. Many FiveM servers run on budget VPS providers or cheap dedicated servers with little to no DDoS protection. When an attack hits, the provider null-routes the IP and the server disappears for hours. The attacker knows this and uses it as leverage.

FiveM Network Architecture: What You Need to Know

Understanding how FiveM networking works is essential for defending it. FiveM uses a specific set of ports and protocols that attackers target, and knowing these details helps you write effective firewall rules and detection logic.

Default port and protocols

FiveM servers listen on port 30120 by default, using both TCP and UDP. The game traffic (player movement, synchronization, voice chat) flows primarily over UDP. The initial connection handshake and some resource downloads use TCP. Both protocols on port 30120 must be open for players to connect and play.

Server list query protocol

FiveM servers respond to query requests from the cfx.re master server and from players browsing the server list. These queries hit port 30120 and return server info: player count, server name, game type, and resource list. This query-response mechanism is unauthenticated, which means anyone can send queries, and some attackers abuse it for amplification by spoofing the source address.

cfx.re infrastructure vs self-hosted

The cfx.re platform provides the master server list and some relay infrastructure, but your actual game server runs on your own hardware or VPS. cfx.re does not proxy game traffic. When a player connects to your server, their packets go directly to your IP address. This is fundamentally different from platforms like Discord (where voice traffic routes through Discord's servers) or web applications (where Cloudflare can proxy HTTP requests). With FiveM, your server IP is the front line.

Additional ports

Beyond port 30120, FiveM servers may also use:

• Port 40120 (UDP): Used by txAdmin for server monitoring and RCON-like functionality in some configurations
• Port 30120 + range: Some resources and voice chat plugins (like mumble-voip or pma-voice) may use adjacent ports
• HTTP port (typically 80 or 8080): If you run a txAdmin web panel exposed to the internet

Every open port is an attack surface. Minimizing exposed ports is one of the simplest steps you can take to reduce your attack profile.

Common Attack Types Against FiveM Servers

Attackers do not use a single method. They pick the technique that is most effective against your specific setup. Here are the attack types you will encounter most frequently.

UDP flood on port 30120

This is by far the most common attack against FiveM servers. The attacker sends a massive volume of UDP packets to port 30120, saturating your server's bandwidth or overwhelming its ability to process packets. A typical booter can generate 1-10 Gbps of UDP flood traffic, which is more than enough to overwhelm most VPS and dedicated server connections.

During a UDP flood, legitimate player packets are lost in the noise. Players experience rubber-banding, desync, and eventually mass disconnects. If the flood exceeds your hosting provider's threshold, they null-route your IP and your server vanishes entirely.

Query amplification

Attackers abuse the FiveM server list query protocol to amplify their attack traffic. They send small query requests to your server with a spoofed source IP (the victim's IP). Your server responds with a larger query response directed at the victim. If the attacker sends queries from thousands of spoofed IPs simultaneously, your server becomes an unwitting participant in amplifying an attack against someone else, while also consuming your own bandwidth and CPU processing those queries.

SYN flood on the TCP component

Since FiveM uses TCP on port 30120 for connection establishment, SYN floods are effective. The attacker sends a high volume of TCP SYN packets with spoofed source IPs, filling up the server's connection table (SYN backlog). Once the table is full, no new legitimate players can connect. Existing players may stay connected, but anyone who disconnects cannot rejoin.

Application-layer attacks

More sophisticated attackers target the FiveM application layer directly:

• Mass fake player joins: Bots initiate hundreds of connection attempts simultaneously, exhausting the server's player slots and connection processing capacity
• Resource exploitation: Sending malformed packets that trigger expensive server-side processing in specific FiveM resources or scripts
• Voice chat flooding: Overloading the voice chat subsystem with garbage audio data if the voice port is exposed

Recognizing the Symptoms

How do you know you are under attack versus just having a bad connection? Here are the telltale signs:

• Players rubber-banding or desyncing simultaneously: If one player lags, it is their connection. If every player lags at the same time, it is the server.
• Mass disconnects: 10+ players dropping within the same 5-second window is almost always an attack or a hosting provider issue.
• Server dropping from the server list: The cfx.re master server pings your server periodically. If it cannot reach you, your server disappears from the list.
• "Connection timed out" errors: New players cannot connect and see timeout messages instead of the loading screen.
• txAdmin showing high resource usage: CPU and memory spike as the server struggles to process the flood of malicious packets alongside legitimate game logic.
• Provider null-route notification: You receive an email from your hosting provider saying your IP has been null-routed due to incoming attack traffic.

Immediate Response When Under Attack

When you realize your FiveM server is being DDoS'd, speed matters. Here is what to do in the first 60 seconds.

Step 1: Confirm the attack with iftop

SSH into your server (if you still can) and run iftop to see what is happening at the network level:

sudo iftop -n -i eth0 -f "port 30120"

This shows you real-time bandwidth usage filtered to your FiveM port. If you see massive inbound traffic from IPs you do not recognize, you are under attack. Note the source IPs and the traffic volume. If the traffic is coming from thousands of different IPs, the sources are likely spoofed.

Step 2: Emergency iptables rate-limiting

Deploy emergency rate-limiting rules to throttle incoming UDP traffic on port 30120:

# Rate-limit new UDP packets on port 30120 to 100/sec per source IP
sudo iptables -A INPUT -p udp --dport 30120 -m state --state NEW \
  -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 \
  --hashlimit-mode srcip --hashlimit-name fivem_udp \
  -j DROP

# Rate-limit TCP SYN packets on port 30120
sudo iptables -A INPUT -p tcp --dport 30120 --syn \
  -m hashlimit --hashlimit-above 20/sec --hashlimit-burst 30 \
  --hashlimit-mode srcip --hashlimit-name fivem_tcp \
  -j DROP

These rules will not stop a large volumetric flood (that happens upstream of your server), but they will help the server survive smaller attacks and reduce CPU load from processing malicious packets.

Step 3: Contact your hosting provider

Open a ticket with your hosting provider immediately. Include the output of iftop, the approximate traffic volume, and the time the attack started. If your provider has DDoS mitigation capabilities, ask them to enable it. If they have already null-routed your IP, ask for their estimated restoration time and whether they can apply mitigation rules to un-null-route you sooner.

FiveM-Specific Firewall Rules

Once you are past the immediate crisis, set up permanent firewall rules tailored to FiveM's traffic patterns. Here is a complete iptables ruleset for a FiveM server:

# Flush existing rules (caution: disconnects if you lock yourself out)
sudo iptables -F INPUT

# Allow established and related connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow SSH (change 22 to your SSH port)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow FiveM game traffic (TCP + UDP on 30120)
sudo iptables -A INPUT -p tcp --dport 30120 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 30120 -j ACCEPT

# Allow txAdmin web panel (restrict to your IP if possible)
sudo iptables -A INPUT -p tcp --dport 40120 -s YOUR_ADMIN_IP -j ACCEPT

# Rate-limit UDP per source IP on game port
sudo iptables -A INPUT -p udp --dport 30120 \
  -m hashlimit --hashlimit-above 150/sec --hashlimit-burst 200 \
  --hashlimit-mode srcip --hashlimit-name fivem_rate \
  -j DROP

# Rate-limit TCP SYN on game port
sudo iptables -A INPUT -p tcp --dport 30120 --syn \
  -m hashlimit --hashlimit-above 25/sec --hashlimit-burst 40 \
  --hashlimit-mode srcip --hashlimit-name fivem_syn \
  -j DROP

# Drop obviously spoofed packets
sudo iptables -A INPUT -s 0.0.0.0/8 -j DROP
sudo iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
sudo iptables -A INPUT -s 224.0.0.0/4 -j DROP
sudo iptables -A INPUT -s 240.0.0.0/5 -j DROP

# Limit ICMP to prevent ping floods
sudo iptables -A INPUT -p icmp --icmp-type echo-request \
  -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Drop invalid packets
sudo iptables -A INPUT -m state --state INVALID -j DROP

# Default policy: drop everything else
sudo iptables -P INPUT DROP

This ruleset follows a whitelist approach: only explicitly allowed traffic gets through. Everything else is dropped. The rate-limiting rules per source IP prevent any single IP from overwhelming the server, while still allowing normal player traffic.

Save your iptables rules with sudo iptables-save > /etc/iptables/rules.v4 so they persist across reboots. On Ubuntu/Debian, install iptables-persistent to handle this automatically.

Server Configuration Hardening

Beyond firewall rules, there are FiveM-specific configuration changes that reduce your attack surface and make you a harder target.

Hide from the public server list

If your server is private (invite-only or community-only), there is no reason to broadcast your IP on the cfx.re server list. Add this to your server.cfg:

sv_master1 ""

This prevents your server from appearing in the public server list. Players can still connect directly using your IP or a cfx.re/join/XXXXX link, but attackers cannot discover your server by browsing the list. For private RP communities, this is one of the most effective steps you can take.

Move to a non-default port

Port 30120 is the default, and automated attack tools target it specifically. Moving to a non-standard port forces attackers to scan for your server rather than assuming the default. In your server.cfg:

endpoint_add_tcp "0.0.0.0:31500"
endpoint_add_udp "0.0.0.0:31500"

This is security through obscurity and will not stop a determined attacker, but it defeats automated booter scripts that blindly target port 30120. Combined with hiding from the server list, it significantly reduces drive-by attacks.

Use Cloudflare Spectrum or OVH Game DDoS Protection

Cloudflare Spectrum can proxy TCP and UDP traffic through Cloudflare's network, hiding your origin server IP behind Cloudflare's anycast infrastructure. This is the closest thing to a CDN for game servers. The downside is cost: Spectrum is priced per GB of traffic and can become expensive for busy servers. However, for high-value servers generating significant revenue, the protection is worth the cost.

OVH Game DDoS Protection is included with OVH's Game dedicated server line. It provides always-on L3/L4 scrubbing with protocol-awareness for common game engines, including FiveM. OVH's VAC (Vacuum) system filters attack traffic at the network edge before it reaches your server. For FiveM operators, OVH Game servers are one of the best hosting options specifically because of this built-in protection.

txAdmin configuration for monitoring

If you use txAdmin (and you should), configure its monitoring to alert you when the server becomes unreachable or when player counts drop suddenly:

• Set the server monitor to restart the FiveM process if it crashes during an attack
• Configure Discord webhook alerts in txAdmin so you know immediately when the server goes down
• Restrict the txAdmin web panel to your admin IP (see the iptables rules above) so attackers cannot access it

Choosing the Right Hosting Provider

Your hosting provider is your first line of defense. The difference between a provider with game-specific DDoS protection and one without can be the difference between a 2-second disruption and an 8-hour outage. Here are the providers that FiveM operators should consider:

• OVH Game servers: Built-in Game DDoS Protection with always-on VAC scrubbing. The best out-of-the-box protection for FiveM. Their data centers in Gravelines (France), Beauharnois (Canada), and Sydney cover most player bases. Expect to pay $60-120/month for a capable FiveM-ready dedicated server.
• Path.net: Purpose-built for game hosting with protocol-aware DDoS scrubbing and low-latency routing optimized for UDP game traffic. Popular with larger FiveM communities that need premium network quality and DDoS resilience.
• CosmicGuard: Specializes in game server DDoS protection as a service. They provide proxy-based protection that sits in front of your server, absorbing attacks before they reach your infrastructure. Works with any hosting provider.
• Hetzner: Budget-friendly but minimal DDoS protection. IPs get null-routed at ~500 Mbps of attack traffic. Not recommended as a primary choice for FiveM servers that expect attacks, but workable if you layer additional protection on top.
• Vultr / DigitalOcean / Linode: General-purpose cloud VPS providers with basic DDoS protection. Fine for development and testing, but production FiveM servers should use a provider with game-specific mitigation.

When evaluating a hosting provider, ask specifically about their UDP flood mitigation capabilities and their null-route threshold. Providers that only protect against TCP-based attacks leave FiveM servers exposed to the most common attack vector.

Long-Term Protection with Real-Time Monitoring

Firewall rules and a good hosting provider handle known attack patterns, but they do not give you visibility into what is happening on your network in real time. You need monitoring that detects anomalies as they happen, not after your players have already disconnected.

Flowtriq provides per-second traffic monitoring that is purpose-built for exactly this scenario. Here is what it does for a FiveM server:

• PPS and bandwidth monitoring: Flowtriq's agent tracks packets per second and bandwidth on your server continuously. When a UDP flood hits port 30120, the PPS spike is detected within 1 second.
• Dynamic baselines: Flowtriq learns what normal traffic looks like for your specific server. A 64-player FiveM server during a popular event looks different from the same server at 3 AM. Static thresholds would either miss the 3 AM attack or false-alarm during the event. Dynamic baselines handle both correctly.
• Instant alerting: When an attack is detected, Flowtriq sends alerts to Discord, Slack, PagerDuty, email, or custom webhooks within seconds. You know about the attack before your players start complaining in your Discord server.
• PCAP capture: Flowtriq automatically captures packet data during detected attacks. This gives you forensic evidence showing the attack type, volume, source IP patterns, and packet characteristics. Use this data to file abuse reports with hosting providers or share with law enforcement if the attacks are sustained.
• Auto-mitigation: Flowtriq can deploy iptables rules automatically when an attack is detected, blocking malicious traffic at the host level before it overwhelms the FiveM process. For larger attacks, it escalates to BGP FlowSpec or upstream scrubbing if your infrastructure supports it.

The agent installs in under 2 minutes:

pip install ftagent
ftagent --api-key YOUR_API_KEY --node-name "fivem-rp-01"

Once running, your FiveM server appears in the Flowtriq dashboard with real-time PPS graphs, protocol breakdowns, and incident history. You can see every attack that has ever hit your server, how long it lasted, and what type it was.

Protected vs Unprotected: What the Difference Looks Like

Let us walk through the same attack scenario against two FiveM servers: one with no protection beyond the hosting provider's default, and one running Flowtriq with properly configured firewall rules.

Unprotected FiveM server

Timeline of a 2 Gbps UDP flood against an unprotected FiveM server:

00:00  Attack begins. 2 Gbps of UDP packets hit port 30120.
00:03  Players start rubber-banding. Desync increases.
00:08  Mass disconnects begin. 40 out of 50 players drop.
00:15  Server process stops responding. txAdmin marks it as crashed.
00:30  Hosting provider detects the flood and null-routes the IP.
00:30  Server is completely offline. New players see "connection timed out."
01:00  You notice Discord is full of "server down?" messages.
01:15  You SSH into the server and realize it has been null-routed.
01:20  You open a support ticket with the hosting provider.
03:00  Provider lifts the null-route. Server comes back online.
03:05  Attacker sees the server is back. Attack resumes.
03:10  Server is null-routed again. Cycle repeats.

Total downtime: 4-8 hours across multiple null-route cycles.
Players lost: most of them went to another server.

Protected FiveM server (Flowtriq + firewall rules)

Timeline of the same 2 Gbps UDP flood against a protected server:

00:00  Attack begins. 2 Gbps of UDP packets hit port 30120.
00:01  Flowtriq detects PPS anomaly. Alert fires to Discord and Slack.
00:01  Auto-mitigation deploys iptables rate-limiting rules.
00:02  Host-level rules drop ~60% of attack traffic from top sources.
00:03  Attack volume still exceeds host capacity. Flowtriq escalates
       to BGP FlowSpec at the upstream router.
00:05  FlowSpec rules active. Attack traffic filtered at network edge.
00:05  Legitimate player traffic passes through normally.
00:06  Players experience ~5 seconds of minor lag. No disconnects.
00:07  Server is fully stable. Game continues.

05:00  Attack subsides. Flowtriq removes FlowSpec rules.
       Full incident report with PCAP available in dashboard.

Total downtime: 0 seconds.
Player impact: 5 seconds of minor lag.

The difference is not subtle. It is the difference between losing your player base overnight and having a minor blip that most players do not even notice.

Summary: Your FiveM Protection Checklist

Here is everything covered in this guide, condensed into an actionable checklist:

1. Firewall rules: Deploy the iptables ruleset above. Whitelist only necessary ports. Rate-limit UDP and TCP SYN on port 30120.
2. Hide from server list: If your server is private, set sv_master1 "" in server.cfg.
3. Non-default port: Move off port 30120 to reduce automated attacks.
4. Hosting provider: Choose a provider with game-specific DDoS protection (OVH Game, Path.net).
5. Restrict txAdmin: Limit the web panel to your admin IP only.
6. Drop spoofed packets: Block RFC 1918 and bogon source addresses at the firewall.
7. Real-time monitoring: Install Flowtriq's agent for per-second detection and instant alerts.
8. Auto-mitigation: Configure Flowtriq's escalation policies so attacks are handled automatically, even at 3 AM.
9. PCAP forensics: Enable packet capture so you have evidence for abuse reports and pattern analysis.
10. Alert routing: Set up Discord alerts for your community and Slack or PagerDuty for your admin team.

FiveM servers will continue to be DDoS targets as long as the community remains competitive and booter services remain cheap. You cannot prevent attacks from happening, but you can make your server resilient enough that attacks have no meaningful impact on your players.

Back to Blog

Related Articles