Why FiveM Servers Are Hard to Protect
FiveM uses a dual-protocol architecture. The game client connects to port 30120 using both TCP (for initial handshake, resource downloads, and HTTP API) and UDP (for real-time game state synchronization). This creates a challenge for DDoS protection because you cannot simply block all UDP to the game port, and you cannot block all TCP either. Both are needed for the server to function.
FiveM servers also tend to run custom scripts, mods, and resource packs that increase the server's attack surface. A heavily modded roleplay server might have 100+ resources, each potentially opening additional ports or making external API calls.
The FiveM community is large and competitive. Server rankings on sites like servers.fivem.net are based on player count, and server owners compete for players. This competition sometimes spills over into DDoS attacks aimed at taking competitors offline.
Common Attack Patterns
UDP floods targeting port 30120
The most common attack. Millions of UDP packets per second are sent to port 30120. Because the FiveM game protocol uses UDP on this port, simple "block all UDP" rules are not an option. The flood drowns out legitimate player game-state packets, causing mass disconnections and rubberbanding.
Mixed TCP+UDP floods
Sophisticated attackers send both TCP SYN floods and UDP floods simultaneously. The TCP flood exhausts the connection table (preventing new player joins and resource downloads), while the UDP flood disrupts existing player sessions. This dual approach makes the attack harder to mitigate with single-protocol rules.
Amplification attacks
DNS and NTP amplification directed at the FiveM server's IP. These produce massive bandwidth, often 1-10 Gbps from a small number of requests. The traffic comes from legitimate DNS/NTP servers with spoofed source IPs, so blocking by source IP would block real infrastructure.
Player connection floods
Botnets that repeatedly initiate FiveM connections, triggering the authentication and resource download sequence. Each connection consumes server resources even if the "player" never fully joins. This is an application-layer attack that looks like legitimate traffic at the network level.
Detection Setup
Install the agent
pip install ftagent sudo ftagent --setup
Or use the one-liner: curl -sL https://get.flowtriq.com | sudo bash
Configure FiveM service ports
Register the ports that FiveM uses as legitimate service traffic:
Service Ports for FiveM: 30120/tcp - Client connections, HTTP API, resource downloads 30120/udp - Game state synchronization 40120/tcp - txAdmin web panel (if using txAdmin) 30110/udp - Voice chat (if using pma-voice or similar)
With service ports configured, the agent builds a baseline specifically for FiveM traffic. It learns what normal looks like: how many players connect per minute, what the typical UDP packet rate is during peak hours, and how resource downloads affect TCP traffic patterns.
Detection signals
The agent watches for several signals simultaneously:
- PPS deviation: A sudden spike in packets per second that exceeds the rolling baseline by a configurable threshold
- Protocol ratio change: Normal FiveM traffic has a characteristic TCP/UDP ratio. Attacks shift this ratio dramatically.
- Bandwidth spike: Amplification attacks produce high bandwidth with relatively lower PPS. The agent monitors both.
- Connection rate: A sudden surge in new TCP connections to port 30120 that exceeds normal player join rates
- Non-service port traffic: Any significant traffic to ports other than your configured service ports is suspicious
Automated Mitigation
On-server firewall rules
When an attack is detected, ftagent deploys targeted iptables rules. For a UDP flood to port 30120, it applies rate limiting that allows normal player traffic through while dropping excessive flood packets:
# Example rule for UDP rate limiting on FiveM port iptables -A FTAGENT -p udp --dport 30120 \ -m hashlimit --hashlimit-above 1000/sec \ --hashlimit-mode srcip \ --hashlimit-name fivem_udp \ -j DROP
For amplification attacks, the agent drops traffic from known amplification source ports:
# Drop DNS amplification traffic iptables -A FTAGENT -p udp --sport 53 \ -m length --length 512:65535 -j DROP # Drop NTP amplification traffic iptables -A FTAGENT -p udp --sport 123 \ -m length --length 468:65535 -j DROP
Upstream escalation
For large volumetric attacks that exceed what on-server rules can handle (the network link itself is saturating), configure auto-escalation to BGP FlowSpec or cloud scrubbing. The escalation chain activates automatically when on-server mitigation is insufficient.
Player Impact Minimization
The goal is not just detecting the attack. It is keeping players connected. Here are specific strategies for FiveM:
- Per-source rate limiting vs blanket blocking: Rate limit per source IP rather than blocking all traffic to the port. This preserves connections from legitimate players while throttling attack sources.
- Connection table tuning: Increase
net.netfilter.nf_conntrack_maxto handle more concurrent connections during an attack. - SYN cookies: Enable
net.ipv4.tcp_syncookies=1so TCP SYN floods do not prevent new player joins. - txAdmin monitoring: If you run txAdmin, keep its web panel on a separate port (40120) so it remains accessible even during an attack on the game port.
FAQ
Does Flowtriq work with FiveM running in Docker?
Yes. If your FiveM server runs in Docker (via Pterodactyl or standalone), ftagent installs on the host and applies rules in the DOCKER-USER chain so they work correctly with Docker's networking.
Can I use this alongside a DDoS proxy like CosmicGuard?
Yes. Proxy-based protection and server-level detection serve different functions. The proxy filters at the edge; ftagent monitors at the server and catches anything that gets through. They complement each other.
What about RedM servers?
RedM (Red Dead Redemption 2 multiplayer) uses the same FiveM platform and port structure. Everything in this guide applies identically to RedM servers.
Protect your FiveM server. Install ftagent with pip install ftagent and get sub-second DDoS detection with automated mitigation. Start your free 14-day trial. Also available on BuiltByBit and Docker Hub.