Why Minecraft Is the #1 DDoS Target
Of all game servers on the internet, Minecraft servers receive more DDoS attacks than any other type. This is not a marginal difference. Minecraft servers are targeted at roughly 3-5x the rate of the next most-attacked game (typically CS2 or Rust). The reasons are structural and specific to the Minecraft ecosystem.
Competitive PvP servers. Factions, KitPvP, practice PvP, and UHC servers run some of the most competitive gameplay on the internet. When real money, leaderboard positions, and server reputations are at stake, players and server owners alike resort to DDoS attacks to eliminate competition. A 30-second flood during a faction raid can decide weeks of gameplay. A 5-minute outage during a UHC tournament eliminates an entire team.
Rival server owners. The Minecraft server hosting market is intensely competitive. Thousands of servers compete for the same player base across similar game modes. Some server operators resort to DDoS attacks against rivals to drive players to their own server. This is especially common during server launches, when a new competitor tries to establish itself by knocking the existing market leader offline during peak hours.
Low barrier to attack. DDoS-for-hire services (commonly called booters or stressers) cost as little as $5-10 per month and require zero technical knowledge. A 14-year-old who got banned from a Minecraft server can purchase a booter subscription, paste in the server's IP address, and launch a multi-gigabit attack within minutes. The Minecraft community has a well-documented culture of "booting" that normalizes DDoS attacks as an acceptable response to in-game conflicts.
Easily discoverable IPs. Minecraft servers advertise their IP addresses publicly on server list websites like Minecraft Server List, Planet Minecraft, and dozens of others. The server's IP is literally its marketing material. Unlike web applications that sit behind CDNs and reverse proxies, a Minecraft server's IP is public, permanent, and directly attackable.
Grief and revenge. A significant portion of Minecraft DDoS attacks have no strategic motive whatsoever. Players attack servers because they were banned, because they lost a fight, because their build was griefed, or simply because they find it entertaining. The combination of a young player base, easily accessible attack tools, and minimal legal consequences creates a perfect storm.
Minecraft Network Architecture
Before discussing protection strategies, you need to understand the ports and protocols that a Minecraft server exposes. Each one represents a potential attack surface.
Default ports and protocols
Port Protocol Service Attack Surface ────────────────────────────────────────────────────────────────── 25565 TCP Minecraft game Primary target: SYN floods, bot joins 25565 UDP Minecraft query Amplification vector if enabled 25575 TCP RCON (remote admin) Brute force, unauthorized access 19132 UDP Bedrock Edition UDP flood target
Port 25565 TCP is the primary game port. All player connections, chunk data, entity updates, chat messages, and plugin communications flow over this single TCP connection. This is the port that attackers target most often because flooding it directly impacts player connectivity.
Port 25565 UDP is the query protocol port. When enabled, it responds to unauthenticated UDP packets with server information (player count, MOTD, version). This is an amplification vector: a small query packet generates a larger response, and because UDP is stateless, the source address can be spoofed.
Port 25575 TCP is the RCON (Remote Console) port. If exposed to the internet, attackers can brute-force the RCON password or use it as an additional attack vector. RCON should never be accessible from the public internet.
BungeeCord/Velocity proxy layer
Any Minecraft network with more than one server should be running a proxy layer. The two dominant options are BungeeCord (and its fork Waterfall) and Velocity. The proxy sits in front of your backend servers, and players connect to the proxy instead of directly to backend servers.
┌─────────────────┐
Players ──────────► │ Proxy (25565) │
│ BungeeCord or │
│ Velocity │
└────────┬────────┘
│
┌──────────────┼──────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Lobby │ │ Survival │ │ Factions │
│ Backend │ │ Backend │ │ Backend │
└──────────┘ └──────────┘ └──────────┘
This architecture is the foundation of Minecraft DDoS protection because it hides your backend server IPs from players. The only publicly visible IP is the proxy server. If an attacker floods the proxy, your backend servers and their world data remain safe. You can replace or re-IP the proxy without losing any game data.
Common Attacks Against Minecraft Servers
Understanding the specific attack types that target Minecraft servers is essential for building effective defenses. These go well beyond simple volumetric floods.
TCP SYN flood on port 25565
The most common volumetric attack against Minecraft servers. The attacker sends millions of TCP SYN packets to port 25565, exhausting the server's connection state table. The Minecraft server process cannot accept new player connections, and existing players experience severe lag or disconnections. SYN floods are effective because every SYN packet forces the server to allocate kernel resources for the half-open connection.
UDP flood (bandwidth saturation)
Raw UDP floods aim to saturate the server's network link. Because Minecraft's primary game protocol is TCP, all inbound UDP traffic to port 25565 (unless you need query) can be safely dropped at the firewall level. However, if the flood is large enough, it saturates the network link before reaching the firewall, affecting all services on the server including the game port.
Bot joins (application-layer attacks)
This is Minecraft-specific and one of the most damaging attack types. The attacker uses a botnet of compromised Minecraft accounts (or cracked-mode connections) to flood the server with hundreds or thousands of simultaneous player connections. Each bot completes the full Minecraft login handshake, spawns in the world, and begins loading chunks. This consumes server RAM, CPU, and disk I/O as the server generates terrain, loads player data, and processes entity spawns for each bot.
Bot join attacks are particularly difficult to mitigate at the network level because the traffic is legitimate TCP connections following the correct Minecraft protocol. Mitigation requires application-layer filtering.
Minecraft protocol exploits
Sophisticated attackers exploit weaknesses in the Minecraft protocol itself:
- Malformed packets: Sending packets that violate the Minecraft protocol specification, causing the server to throw exceptions, consume CPU in error handling, or crash entirely.
- Chunk loading abuse: Bots that connect and rapidly move across the world, forcing the server to generate and send massive amounts of chunk data. This exhausts server CPU (terrain generation) and bandwidth (sending chunk packets).
- Book and sign exploits: Sending books or signs containing extremely long strings or deeply nested NBT data that causes the server to hang when parsing or rendering the data. A single malicious book can crash an unpatched server.
- Plugin-specific exploits: Many popular plugins have vulnerabilities that can be triggered by crafted packets. Chat plugins, economy plugins, and permission plugins have all had vulnerabilities that crashed servers.
Query amplification
When enable-query=true in server.properties, the server responds to UDP query packets on port 25565 with detailed server information. The response is typically 5-10x larger than the request. Attackers send query packets with a spoofed source IP (the victim's IP), and the Minecraft server becomes an unwitting amplifier, flooding the victim with query responses. Even if your server is not the target, having query enabled means you could be used as an amplification vector.
BungeeCord/Velocity Proxy Security
Running a proxy is the single most important step you can take to protect a Minecraft network. But the proxy must be configured correctly, or it creates more problems than it solves.
Why you must run a proxy
Without a proxy, every backend server's IP is visible to players. If a player discovers the IP of your Factions server (trivially easy via DNS lookups, packet sniffing, or simple ping commands), they can attack that specific backend directly. With a proxy, only the proxy IP is public. Backend servers have private or secondary IPs that are never exposed to players.
Firewall backend servers to accept only proxy traffic
This is the most critical and most commonly missed step. Your backend servers must be firewalled so that the Minecraft port only accepts connections from the proxy server's IP address. Without this rule, an attacker who discovers a backend IP (through DNS history, misconfigurations, or brute-force scanning) can attack it directly, bypassing the proxy entirely.
# On each backend server: allow only the proxy IP to connect to Minecraft iptables -A INPUT -p tcp --dport 25565 -s PROXY_IP_HERE -j ACCEPT iptables -A INPUT -p tcp --dport 25565 -j DROP # If your proxy has multiple IPs (e.g., failover), add each one iptables -A INPUT -p tcp --dport 25565 -s PROXY_IP_1 -j ACCEPT iptables -A INPUT -p tcp --dport 25565 -s PROXY_IP_2 -j ACCEPT iptables -A INPUT -p tcp --dport 25565 -j DROP
BungeeCord ip_forward + firewall
BungeeCord uses the ip_forward setting to pass the player's real IP address to backend servers. When ip_forward: true is set in BungeeCord's config, backend servers must set bungeecord: true in their spigot.yml. However, this creates a critical vulnerability: if the backend server accepts direct connections (without the firewall rules above), anyone can connect directly and spoof any IP address, including impersonating administrators.
The firewall rules are not optional. They are a security requirement when using ip_forward.
Velocity modern forwarding
Velocity's modern forwarding mode is more secure than BungeeCord's ip_forward. It uses a shared secret (forwarding-secret) between the proxy and backend servers to cryptographically verify that connections are coming from the proxy. Even if an attacker connects directly to a backend server, they cannot forge the forwarding token without knowing the secret.
# velocity.toml
player-info-forwarding-mode = "modern"
# In each backend's paper-global.yml (Paper servers)
proxies:
velocity:
enabled: true
online-mode: true
secret: "your-random-secret-here"
If you are building a new network, use Velocity with modern forwarding. If you are running BungeeCord, consider migrating to Velocity or at minimum ensure your firewall rules are airtight.
TCPShield and Cosmic Guard as reverse proxies
TCPShield and Cosmic Guard are Minecraft-specific reverse proxy services that sit in front of your BungeeCord/Velocity proxy. They act as a CDN for Minecraft traffic, absorbing DDoS attacks before they reach your infrastructure. Players connect to TCPShield's anycast network, and TCPShield forwards clean traffic to your proxy.
These services are particularly valuable because they understand the Minecraft protocol. They can filter bot joins, rate-limit connections, and block known attack patterns at the application layer, something a generic DDoS protection service cannot do.
Server.properties Hardening
The default server.properties file leaves several attack surfaces open. These settings should be changed on every Minecraft server exposed to the internet.
Disable the query protocol
# server.properties enable-query=false
Unless you specifically need the query protocol for a server list or monitoring tool, disable it. This closes the UDP attack surface on port 25565 and eliminates the amplification vector. Most modern server list websites and monitoring tools use the TCP server list ping instead, which does not require the query protocol.
Disable or restrict RCON
# server.properties enable-rcon=false # If RCON is required, bind it to localhost only rcon.port=25575 # Then use SSH tunneling to access RCON remotely
RCON provides full server console access. If an attacker brute-forces the RCON password, they have complete control of the server. Disable RCON unless you specifically need it, and if you do need it, bind it to localhost and access it through an SSH tunnel.
Tune network-compression-threshold
# server.properties network-compression-threshold=256
This setting controls the minimum packet size before compression is applied. The default value of 256 bytes is reasonable. Setting it too low wastes CPU on compressing small packets. Setting it to -1 disables compression entirely, which increases bandwidth usage and makes your server more vulnerable to bandwidth-saturation attacks. Keep it at the default unless you have a specific reason to change it.
Set max-players as a resource limit
# server.properties max-players=100
The max-players setting is not just a gameplay preference. It is a resource limit. Set it to the maximum number of players your server can actually handle without degraded performance. During a bot join attack, this limits the number of bots that can connect simultaneously, reducing the resource impact of the attack.
Firewall Rules for Minecraft Servers
These iptables rules provide network-level protection against the most common attack types targeting Minecraft servers. Apply them on the proxy server (or on a standalone server that is not behind a proxy).
Rate limit new TCP connections to port 25565
# Limit new connections to 5 per second per source IP # Prevents SYN floods and rapid reconnection attacks iptables -A INPUT -p tcp --dport 25565 -m state --state NEW \ -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 10 \ --hashlimit-mode srcip --hashlimit-name mc_conn_limit \ -j DROP
This rule allows a normal player to connect and reconnect without issues (5 new connections per second is more than enough for legitimate use) while blocking connection flood attacks that send hundreds of SYN packets per second from each source IP.
Drop UDP to port 25565
# If query is disabled (as recommended), drop all UDP to the game port iptables -A INPUT -p udp --dport 25565 -j DROP
With enable-query=false, no legitimate traffic arrives on UDP port 25565. Dropping all UDP to this port eliminates the entire UDP attack surface for the game port.
Restrict RCON access
# Allow RCON only from specific management IPs iptables -A INPUT -p tcp --dport 25575 -s YOUR_MANAGEMENT_IP -j ACCEPT iptables -A INPUT -p tcp --dport 25575 -j DROP
Global rate limits with hashlimit
# Global per-IP packet rate limit (all ports) # Drop sources sending more than 100 packets/second iptables -A INPUT -m hashlimit --hashlimit-above 100/sec \ --hashlimit-burst 150 --hashlimit-mode srcip \ --hashlimit-name global_pps -j DROP # Limit ICMP to prevent ping floods iptables -A INPUT -p icmp --icmp-type echo-request \ -m hashlimit --hashlimit-above 2/sec --hashlimit-burst 5 \ --hashlimit-mode srcip --hashlimit-name icmp_limit \ -j DROP
SYN flood protection with syncookies
# Enable SYN cookies (kernel parameter, not iptables) sysctl -w net.ipv4.tcp_syncookies=1 # Make it persistent echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf # Additional TCP hardening sysctl -w net.ipv4.tcp_max_syn_backlog=4096 sysctl -w net.ipv4.tcp_synack_retries=2 sysctl -w net.core.somaxconn=4096
Complete firewall script
Here is a complete iptables script for a Minecraft proxy server:
#!/bin/bash # Minecraft proxy firewall rules # Flush existing rules iptables -F INPUT # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow SSH (restrict to your IPs in production) iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Minecraft: rate-limit new connections iptables -A INPUT -p tcp --dport 25565 -m state --state NEW \ -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 10 \ --hashlimit-mode srcip --hashlimit-name mc_conn -j DROP # Minecraft: allow TCP game traffic iptables -A INPUT -p tcp --dport 25565 -j ACCEPT # Minecraft: drop all UDP to game port iptables -A INPUT -p udp --dport 25565 -j DROP # RCON: management IPs only (or drop all if not needed) iptables -A INPUT -p tcp --dport 25575 -j DROP # ICMP rate limit iptables -A INPUT -p icmp --icmp-type echo-request \ -m hashlimit --hashlimit-above 2/sec --hashlimit-burst 5 \ --hashlimit-mode srcip --hashlimit-name icmp -j DROP iptables -A INPUT -p icmp -j ACCEPT # Default drop iptables -P INPUT DROP
Anti-Bot Plugins
Network-level firewalls cannot stop bot join attacks because the bots use valid TCP connections following the correct Minecraft protocol. Application-layer filtering is required, and the Minecraft ecosystem has several plugins built specifically for this purpose.
BotSentry
BotSentry is one of the most widely used anti-bot plugins for BungeeCord and Velocity. It detects bot connections by analyzing login behavior: bots tend to connect in rapid bursts from sequential IPs, use randomized usernames following detectable patterns, and fail behavioral checks that real players pass. BotSentry can force new connections through a verification process (CAPTCHA, click challenge) before allowing them to join the server.
EpicGuard
EpicGuard is a free, open-source anti-bot solution that runs on BungeeCord, Velocity, and standalone Spigot/Paper servers. It provides connection rate limiting, geographic filtering (block connections from countries where you have no players), nickname pattern detection, and integration with IP reputation databases. For small to mid-size servers, EpicGuard provides solid bot protection at no cost.
AntiBot / BotFilter
Several plugins under these names provide similar functionality: connection throttling, forced-join verification, and suspicious behavior detection. The key features to look for in any anti-bot plugin are:
- Connection rate limiting: Throttle the number of new connections per second globally and per IP.
- Verification challenges: Force new players to complete a challenge (move, chat, click) before joining the main server.
- IP reputation: Check connecting IPs against known proxy/VPN/botnet databases.
- Geographic filtering: Block or throttle connections from regions where you have no legitimate players.
- Whitelist/blacklist: Automatically whitelist verified players so they bypass checks on subsequent logins.
Anti-bot plugins are a critical layer but they are not a replacement for network-level DDoS protection. They handle application-layer bot attacks. They do nothing against volumetric SYN floods, UDP floods, or bandwidth-saturation attacks that overwhelm the server before the Minecraft process even sees the traffic.
Hosting Provider Selection
Your choice of hosting provider is a foundational DDoS protection decision. Some providers include robust game-aware DDoS protection. Others will null-route your IP at the first sign of an attack. The Minecraft hosting community has strong opinions here, and most of them are earned from direct experience.
OVH Game DDoS Protection
OVH is the most popular infrastructure provider in the Minecraft hosting ecosystem, and for good reason. Their Game DDoS Protection product provides always-on, protocol-aware scrubbing that understands Minecraft traffic patterns. The VAC (anti-DDoS vacuum) system filters attack traffic while passing legitimate game connections. OVH Game servers are the default recommendation for Minecraft networks that need built-in DDoS protection. Limitations include detection latency (15-60 seconds before mitigation activates) and limited configurability of thresholds.
Hetzner
Hetzner offers excellent value for Minecraft hosting with good hardware at competitive prices. Their DDoS protection is basic: they null-route IPs receiving more than approximately 500 Mbps of attack traffic. For small servers that rarely face attacks, Hetzner works well. For competitive PvP servers or networks that face regular attacks, Hetzner's protection is insufficient on its own. Layering Flowtriq on top of Hetzner provides the detection and Tier 1/Tier 2 mitigation that Hetzner lacks.
Dedicated Minecraft hosting providers
Several hosting companies specialize exclusively in Minecraft server hosting and include DDoS protection as part of their service:
- Bloom Host: Premium Minecraft hosting with built-in DDoS protection, modern hardware, and Pterodactyl-based management panel.
- Apex Hosting: One of the largest Minecraft hosting providers. Includes DDoS protection and has extensive experience with Minecraft-specific attack patterns.
- BisectHosting: Popular budget option with included DDoS protection suitable for small to mid-size servers.
TCPShield and Cosmic Guard
These are not hosting providers but reverse proxy services specifically for Minecraft. They sit in front of your existing infrastructure (regardless of hosting provider) and filter traffic at the protocol level. TCPShield's free tier handles basic bot protection and small volumetric attacks. Their paid tiers handle larger attacks with dedicated capacity. Cosmic Guard provides similar functionality with different pricing tiers.
The advantage of a Minecraft-specific proxy service is protocol awareness. TCPShield can inspect Minecraft handshake packets, detect bot patterns, and enforce rate limits at the application layer. A generic DDoS protection service treats Minecraft traffic as opaque TCP connections and cannot provide this level of granularity.
Monitoring with Flowtriq
The protections described above (proxies, firewalls, anti-bot plugins, hosting provider DDoS protection) are all preventive measures. But prevention without visibility is incomplete. You need to know when attacks happen, how large they are, what type they are, and whether your defenses are working.
Flowtriq provides per-second traffic monitoring and anomaly detection for every node in your Minecraft network. Install the agent on each server (proxy and backends) and get real-time visibility into what is happening on your network.
Per-second PPS monitoring on game ports
Flowtriq monitors packets per second, bytes per second, protocol distribution, and packet-size histograms on every port. For Minecraft servers, this means you can see exactly how many packets are hitting port 25565 every second. When a SYN flood starts, Flowtriq detects the spike within 1-2 seconds and triggers automated mitigation before players notice.
# Install Flowtriq agent on your Minecraft proxy pip install ftagent ftagent --api-key YOUR_KEY --node-name "mc-proxy-01" # Install on backend servers for full visibility ftagent --api-key YOUR_KEY --node-name "mc-survival-backend" ftagent --api-key YOUR_KEY --node-name "mc-factions-backend"
Detect floods before players notice
A Minecraft server under a SYN flood starts experiencing player lag within 3-5 seconds. Within 10 seconds, players begin disconnecting. Within 30 seconds, the server process may crash. Flowtriq detects the anomaly within 1-2 seconds of onset. With auto-mitigation enabled, iptables rules deploy in the same second, blocking the attack before the game engine registers any impact.
Compare this to relying on player reports ("the server is laggy") or hosting provider detection (15-60 seconds for OVH, minutes for others). By the time a human notices the attack, Flowtriq has already contained it.
Discord webhook alerts
Discord is the standard communication platform for Minecraft communities. Nearly every Minecraft server of any size runs a Discord server for player communication, support, and announcements. Flowtriq integrates directly with Discord webhooks, sending automated alerts to your staff channel when an attack is detected.
The alert includes the node name, attack type (SYN flood, UDP flood, connection spike), current PPS, baseline PPS, and mitigation status. Your staff sees in real time that an attack is in progress and that Flowtriq is handling it. This eliminates the scramble of "what is happening?" messages and gives your team confidence that the situation is under control.
PCAP evidence capture
When Flowtriq detects an attack on your Minecraft server, it automatically captures packet data. These PCAP files are invaluable for:
- Filing abuse reports with your hosting provider or upstream transit
- Identifying attack patterns and repeat attackers
- Providing evidence if you need to involve law enforcement
- Post-incident analysis to improve your defenses
Network Architecture Best Practices
Putting it all together, here is the recommended architecture for a Minecraft network of any size.
┌──────────────────────┐
│ DNS (SRV record) │
│ play.yourserver.com │
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ TCPShield / Cosmic │
│ Guard (optional │
│ reverse proxy) │
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Proxy Server │
│ Velocity / Bungee │
│ + Flowtriq agent │
│ + Anti-bot plugin │
│ Public IP: A.B.C.D │
└──────────┬───────────┘
│ (private network)
┌──────────────────┼──────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Lobby │ │ Survival │ │ Factions │
│ Backend │ │ Backend │ │ Backend │
│ + Flowtriq │ │ + Flowtriq │ │ + Flowtriq │
│ FW: proxy │ │ FW: proxy │ │ FW: proxy │
│ IP only │ │ IP only │ │ IP only │
└──────────────┘ └──────────────┘ └──────────────┘
Separate IPs for proxy and backends
Your proxy server should have a dedicated public IP that is only used for the proxy. Backend servers should either use private IPs (if on the same local network) or different public IPs that are never published anywhere. The goal is to ensure that attacking the proxy IP does not affect backend servers, and that backend IPs are not discoverable.
DNS configuration
Use an SRV record so players can connect using a clean domain name:
# DNS records _minecraft._tcp.play.yourserver.com SRV 0 5 25565 proxy.yourserver.com proxy.yourserver.com A YOUR_PROXY_IP
If you use TCPShield or Cosmic Guard, point the A record to their anycast IP instead of your proxy's direct IP. This ensures all player traffic routes through the protection layer.
Redundancy
For networks that cannot tolerate any downtime, run two proxy servers with a shared IP (via BGP anycast) or use DNS-based failover. If the primary proxy is overwhelmed, traffic automatically shifts to the secondary. Flowtriq monitors both proxies independently and triggers mitigation on whichever node is under attack.
Ready to protect your Minecraft network? Flowtriq provides per-second DDoS detection, automated mitigation, Discord alerts, and PCAP forensics for Minecraft servers at $9.99/node/month. The agent installs in under 2 minutes, and the 7-day free trial gives you full access to every feature with no credit card required.