Why Minecraft Servers Get DDoS'd
Minecraft servers are targeted more than any other game. The reasons are specific to the Minecraft ecosystem: competitive server listings on sites like Minecraft Server List where uptime determines ranking, grudges between players and server owners, and the low cost of booter services that can take down an unprotected server for $5-10.
The stakes are real. A server that drops off the listing sites loses players. Players who experience repeated disconnections leave permanently. Server owners who cannot keep their server online lose revenue from in-game purchases, subscriptions, and donations.
Attack Vectors Specific to Minecraft
TCP SYN floods (port 25565)
The most common attack against Minecraft Java servers. Attackers send millions of SYN packets to port 25565, exhausting the server's connection table. The Minecraft server process cannot accept new player connections because the OS is overwhelmed handling half-open connections.
Signs: conntrack table fills up, new player joins fail, existing players experience rubberbanding, netstat shows thousands of SYN_RECV connections.
# Check for SYN flood indicators: cat /proc/net/snmp | grep Tcp # Look at ActiveOpens and AttemptFails counters ss -s # Look at "synrecv" count - normal is <100, flood is >10000
UDP floods
Volumetric UDP floods targeting any port on the server. These do not target the Minecraft protocol specifically; they aim to saturate the network link. Even though Minecraft Java uses TCP, a large enough UDP flood will drown out all traffic including legitimate TCP connections.
Minecraft Bedrock servers (which use UDP on port 19132) are especially vulnerable because the legitimate protocol is UDP, making it harder to filter attacks without also blocking players.
DNS/NTP amplification
Reflected amplification attacks using spoofed source IPs. The attacker sends small requests to open DNS resolvers or NTP servers with the victim's IP as the source. The reflectors send large responses to the Minecraft server. Because the source IPs are legitimate DNS/NTP servers, simple IP blocking would block real services.
Signs: massive inbound UDP traffic from port 53 (DNS) or port 123 (NTP), packet sizes of 512-4096 bytes, hundreds of different source IPs.
Slowloris and connection exhaustion
These attacks open many TCP connections to port 25565 and keep them alive with minimal data. Each connection holds a slot in the Minecraft server's connection pool. Eventually, legitimate players cannot connect because all slots are occupied by attack connections.
This is harder to detect with simple PPS monitoring because the packet rate is low. The signal is in the connection count, not the packet rate.
Bot join floods
Botnets that repeatedly join the Minecraft server with random usernames, triggering the login sequence and consuming server resources. These look like legitimate connections at the network level. Detection requires protocol-aware monitoring or rapid connection rate tracking.
Detection Methods
Kernel-level monitoring
The most reliable detection method reads kernel counters directly. Install ftagent on the server:
pip install ftagent sudo ftagent --setup
The agent reads /proc/net/snmp, /proc/net/netstat, and /sys/class/net/ every second. It builds a baseline of normal traffic for your server and triggers when traffic deviates. A Minecraft server with 50 concurrent players might see 5,000-15,000 PPS normally. A SYN flood pushes that to 500,000+ PPS. The deviation is obvious when you have a baseline.
Configure service ports
Tell the agent which ports are Minecraft traffic:
# Minecraft Java Edition Port 25565/tcp -> Service traffic (player connections) # Minecraft Bedrock Edition Port 19132/udp -> Service traffic (player connections) # Common additional ports Port 25575/tcp -> RCON (admin console) Port 8123/tcp -> Dynmap (web map) Port 8192/tcp -> Votifier
With service ports configured, the agent knows that traffic to port 25565 is expected. It monitors that traffic for rate anomalies but does not treat it as suspicious by default. Traffic to other ports is treated with a lower tolerance threshold.
Set up alerts
Most Minecraft server operators live in Discord. Configure Flowtriq to send alerts to your Discord server:
Alert channel: Discord webhook Severity filter: Medium and above Include: Attack type, target port, PPS, bandwidth, duration
When an attack hits, your Discord channel gets a message within seconds: "DDoS detected on minecraft-01: TCP SYN Flood targeting port 25565, 340K PPS, severity High."
Automated Response
Detection without response means you just watch the attack happen faster. Configure automated mitigation:
- SYN flood response: iptables rules with SYN rate limiting and SYN cookie enforcement on port 25565
- UDP flood response: Drop non-service UDP traffic above baseline thresholds
- Amplification response: Drop UDP traffic from well-known amplification source ports (53, 123, 11211, 1900)
- Connection exhaustion: Limit concurrent connections per source IP to port 25565
Rules are deployed in the correct iptables chain. If your Minecraft server runs in Docker (Pterodactyl, AMP, etc.), rules go in DOCKER-USER. If it runs directly on the OS, rules go in INPUT.
Practical Tips
- Use a TCP proxy for Java Edition: Services like TCPShield or BungeeCord with IP forwarding can absorb connection-level attacks. Combine with server-level detection for full coverage.
- Enable SYN cookies:
sysctl -w net.ipv4.tcp_syncookies=1prevents SYN floods from filling the connection table. - Raise conntrack limits: Default conntrack table size is too small for game servers. Set
net.netfilter.nf_conntrack_max=262144. - Monitor during peak hours: Attacks frequently coincide with peak player activity because that is when the damage is most visible.
FAQ
Is there free DDoS detection for Minecraft servers?
Yes. ftagent is available via pip. Flowtriq offers a 14-day free trial with all features including automated mitigation and PCAP forensics. After the trial, detection starts at $9.99/month per server.
Does detection add latency to player connections?
No. ftagent reads kernel counters passively. It does not sit in the network path and does not add latency to any traffic. Firewall rules deployed during attacks operate at the kernel level with negligible performance impact.
Can I detect who is attacking my server?
For non-spoofed attacks, Flowtriq logs source IPs and captures PCAP data. For spoofed attacks (amplification), the source IPs are reflectors, not the attacker. PCAP data can be shared with your hosting provider or ISP for upstream investigation.
Protect your Minecraft server. Install ftagent with pip install ftagent and have detection running in under 5 minutes. Start your free 14-day trial for automated mitigation and PCAP forensics. Also on BuiltByBit.