Skip to main content
← All Guides
Security · 8 min read

How to Protect Your Minecraft Server from DDoS Attacks

Learn how to defend your Minecraft server against DDoS attacks with proxy protection, IP hiding, rate limiting, and anti-bot plugins.

What Is a DDoS Attack

A Distributed Denial of Service attack floods your server with so much traffic that legitimate players cannot connect. The attacker uses a botnet, thousands of compromised machines or rented cloud instances, to send massive volumes of data to your server's IP address. Your server's network connection becomes saturated, the CPU spends all its time processing garbage packets, and the result is lag, timeouts, or complete downtime. DDoS attacks do not hack your server or steal data. They simply make it unreachable.

Minecraft servers are frequent targets because they are easy to find (server lists publish IPs), they run on predictable ports (25565), and many are operated by individuals or small teams without enterprise-grade network infrastructure. Attacks can be motivated by rivalry between servers, disgruntled banned players, or simply boredom. The good news is that effective protection exists at every budget level.

Layer 3/4 vs Layer 7 Attacks

Understanding attack types helps you choose the right defenses.

Layer 3/4 (network/transport layer): These attacks flood your connection with raw data, UDP floods, SYN floods, ICMP floods. They aim to overwhelm your bandwidth or exhaust your server's connection-tracking tables. Protection against L3/4 attacks is handled at the network level by your hosting provider or a DDoS protection service. You cannot mitigate a 50 Gbps flood with a plugin.

Layer 7 (application layer): These attacks exploit the Minecraft protocol itself. Bot clients send valid-looking connection requests, login attempts, or join packets at high volume. Your server wastes resources processing these fake connections. L7 attacks are smaller in bandwidth but harder to distinguish from real players. Protection requires application-level filtering, anti-bot plugins, connection throttling, and proxy services that understand the Minecraft protocol.

Hosting Provider DDoS Protection

The first line of defense is your hosting provider. Most reputable Minecraft hosts include some level of DDoS protection. At a minimum, look for:

  • Always-on L3/4 filtering: The provider's network should automatically detect and filter volumetric attacks without requiring you to do anything.
  • Traffic scrubbing capacity: Ask how many Gbps of attack traffic the provider can handle. Anything under 1 Tbps is considered low by modern standards. Quality providers advertise 1-10+ Tbps of scrubbing capacity.
  • No null-routing on small attacks: Cheap hosts will "null route" your IP (take it completely offline) during an attack to protect their other customers. This means the attack succeeds. Better providers filter the attack traffic and keep your server online.

Astroworld Hosting includes DDoS protection on every plan, this is the baseline you should expect from any serious Minecraft hosting provider.

TCPShield

TCPShield is a reverse proxy service built specifically for Minecraft. It sits between players and your server, hiding your real IP address and filtering malicious traffic before it reaches you. How it works:

  1. Sign up at tcpshield.com and add your server.
  2. TCPShield gives you a CNAME record to point your domain at.
  3. Players connect to your domain. Traffic routes through TCPShield's network.
  4. TCPShield filters attacks and forwards clean traffic to your actual server IP.

TCPShield has a free tier that covers basic protection for smaller servers. Paid plans offer higher bandwidth allowances and more aggressive filtering. The critical step is making sure your real server IP stays hidden, if attackers know it, they bypass TCPShield entirely.

Cloudflare Spectrum

Cloudflare Spectrum is an enterprise-grade option that proxies TCP traffic through Cloudflare's global network. Unlike TCPShield, Spectrum is not Minecraft-specific, it works for any TCP service. It is extremely effective but significantly more expensive (starting at $1/Gbps of proxied traffic on the Pro plan). Spectrum makes sense for large networks with hundreds of players and serious DDoS threats. For most single-server setups, TCPShield is more cost-effective.

Hiding Your Real IP

All proxy-based protection fails if the attacker knows your server's real IP address. Once exposed, they can attack the IP directly and bypass any proxy. To keep your IP hidden:

  • Never share your IP publicly. Use a domain name that routes through your proxy for all public-facing connections.
  • Check historical DNS records. Services like SecurityTrails index old DNS records. If your domain previously pointed directly at your server, that IP may be cached. Consider getting a new IP from your host if this is the case.
  • Configure your firewall to only accept Minecraft connections from your proxy's IP ranges. TCPShield and Cloudflare publish their IP ranges. Block everything else on port 25565.
  • Don't leak the IP through other services. If you run a website, Discord bot, or other service on the same machine, those can reveal the IP.

Rate Limiting and Connection Throttling

Server-side rate limiting helps against L7 (application-layer) attacks:

  • Paper's built-in rate limiting: Paper has connection throttle settings in paper-global.yml. Set connection-throttle to limit how many connections a single IP can make per second.
  • Linux firewall rules: Use iptables or nftables to rate-limit new connections on port 25565. Example: iptables -A INPUT -p tcp --dport 25565 -m connlimit --connlimit-above 3 -j DROP limits each IP to 3 concurrent connections.
  • Fail2ban: Configure Fail2ban to monitor your server logs for repeated failed connection attempts and auto-ban offending IPs at the firewall level.

Anti-Bot Plugins

Anti-bot plugins add application-level protection against bot floods:

  • EpicGuard: Detects bot connections using geographic filtering, connection rate checks, and a nickname blacklist. Free and actively maintained.
  • BotSentry: Premium plugin with advanced bot detection including CAPTCHA challenges for suspicious connections.
  • nAntiBot: Lightweight plugin that adds a verification step for new connections, blocking automated join spam.

These plugins complement network-level protection. They won't help against a 10 Gbps UDP flood, but they effectively stop bot join spam that crashes your server through resource exhaustion.

What to Do During an Attack

If you are under active attack:

  1. Do not panic. Most attacks stop within 15-60 minutes.
  2. Check your hosting provider's DDoS protection dashboard if available. Verify the attack is being filtered.
  3. If your IP is exposed and the provider's protection is insufficient, enable a proxy service (TCPShield) immediately and update your DNS to point through it.
  4. Notify your players through Discord or your website that you are aware of the issue.
  5. After the attack subsides, review logs to see if the attacker gained any useful information (like your real IP through a new vector).
  6. If attacks are recurring, consider changing your server IP and using a proxy permanently.

Prevention is always cheaper than reaction. Set up protection before you need it. Once your server is on a server list with hundreds of players, you become a target, prepare accordingly.

Need a server for this? Astroworld Hosting offers NVMe SSD, Pterodactyl panel, and DDoS protection on every plan. See features , plans from €6.39/mo.

Related Tools & Resources

🔧

Minecraft Tools

Calculators, generators & server tools

🧱

Item Database

Browse all Minecraft items, stats & recipes

⚒️

Crafting Recipes

Visual crafting guides for every recipe