How TCPShield Works
TCPShield is a reverse proxy DDoS protection service designed for Minecraft servers. Players connect to TCPShield's proxy network, traffic is filtered using L3/L4/L7 protection, and clean traffic is forwarded to the operator's origin server. The origin server's IP address is hidden — players only see TCPShield's proxy IPs.
TCPShield's filtering targets the attack types common in Minecraft server targeting: UDP floods, TCP SYN floods, and Minecraft-protocol-specific attacks (bot floods, invalid handshake floods, connection exhaustion).
The Proxy Model — What It Means
Your origin IP is protected by being hidden entirely. All player traffic — legitimate and attack — routes through TCPShield's infrastructure. This is how proxy-based protection works: TCPShield absorbs and filters traffic before it reaches your server.
Operational implications:
- All traffic takes an additional network hop through TCPShield's infrastructure. For players close to a TCPShield PoP, this is minimal. For players in regions without nearby PoPs, routing overhead affects latency.
- Your server identity changes from its direct IP to TCPShield's proxy assignment. DNS records and any server lists using your direct IP need updating.
- If TCPShield's infrastructure has an outage or capacity issue, your server is unreachable to players.
Minecraft Focus — Strength and Constraint
TCPShield is purpose-built for Minecraft. Its protocol-aware filtering is tuned specifically for Java and Bedrock edition traffic patterns. For Minecraft operators, this specificity is an advantage: protection is calibrated to the exact traffic your server generates and the exact attacks targeting Minecraft infrastructure.
The constraint: operators running non-Minecraft game servers, custom game protocols, or mixed workloads should verify protocol support carefully. TCPShield's filtering is optimized for Minecraft — other protocols may receive less granular protection.
What Proxy Protection Doesn't Cover
TCPShield protects the proxy layer. Between the proxy and your origin server, and on your origin server itself:
No per-server packet visibility
TCPShield sees traffic on their scrubbing infrastructure. Your origin server's packet-level behavior — what actually reached it after proxy filtering, connection table state, CPU pressure during an attack — is not visible from TCPShield's layer.
No PCAP forensics at the host
Post-incident analysis at the packet level requires capture tools running on your origin server. TCPShield provides no mechanism for host-level forensic capture.
Origin-side attacks
If an attacker identifies your origin server's real IP through other means (DNS history, log leaks, external service connections), attacks to your origin IP bypass TCPShield entirely. Origin IP hygiene is an ongoing operational requirement with any proxy service.
TCPShield vs. Flowtriq
| Feature | TCPShield | Flowtriq |
|---|---|---|
| Protection model | Minecraft reverse proxy | Per-server agent |
| Protocol focus | Minecraft (Java + Bedrock) | All protocols |
| Origin IP exposed | No (hidden) | Yes |
| Per-server visibility | No | Yes |
| PCAP forensics | No | Yes |
| L7 game protocol filters | Yes (Minecraft-specific) | Yes |
| Server-side metrics | No | Yes |
| Upstream dependency | TCPShield infrastructure | None |
| Pricing | Tiered (free to paid plans) | $9.99/node/month |
Evaluation Checklist
- Confirm your game protocol is well-supported — TCPShield is Minecraft-first
- Test latency from your player base to TCPShield's nearest PoP
- Audit your origin IP exposure — check DNS history, external API references, log outputs
- Identify server-side forensic requirements — per-server PCAP requires a complementary host-based tool
- Evaluate what happens if TCPShield has an outage — is your server completely unreachable?
Want DDoS detection on your actual server, not just the proxy layer?
Flowtriq runs directly on your Linux server. Per-packet detection, PCAP forensics, server-side metrics. Works alongside any proxy service.
Start free 7-day trial →Frequently Asked Questions
What is TCPShield?
TCPShield is a reverse proxy DDoS protection service designed primarily for Minecraft servers. Players connect to TCPShield's proxy IPs, where traffic is filtered before being forwarded to the origin server. The origin server's IP address is hidden from players.
Does TCPShield support non-Minecraft games?
TCPShield is designed primarily for Minecraft (Java and Bedrock). Support for other game protocols varies. Operators running non-Minecraft game servers should verify protocol support before signing up.
Does TCPShield hide my server IP?
Yes. Players connect through TCPShield's proxy IPs. Your origin server's real IP is not exposed in DNS or to connecting clients, protecting your origin from direct targeting.
What does TCPShield not protect against?
TCPShield protects at the proxy layer. It does not provide per-server packet visibility, host-level PCAP forensics, or server-side metrics. Attacks that bypass or saturate the proxy layer, and short-burst attacks during the detection-to-mitigation window, can still cause origin-side disruption.
What is an alternative to TCPShield for game server DDoS protection?
Game server operators who need per-server packet visibility, PCAP forensics, server-side metrics, or protection beyond the proxy layer often evaluate Flowtriq alongside proxy services like TCPShield. Many operators use both: TCPShield for proxy-level protection and a host-based agent for origin-side detection.
Back to Blog