RackDiff
DE
All Guides

Protect Minecraft Server from DDoS: TCPShield, NeoProtect & Alternatives 2026

Hetzner VPS has weak gaming DDoS protection. How to protect your Minecraft server with TCPShield (free), NeoProtect or Cloudflare Spectrum.

Dirk Hesse
February 5, 2026
9 min read

Your Minecraft server runs on Hetzner or Netcup. Everything's great – until someone launches a DDoS attack. Suddenly no players can connect.

The problem: Most VPS providers have DDoS protection for websites, not for gaming. Minecraft uses its own protocol on port 25565 – which often isn't filtered.

In this guide I'll show you how to protect your server with TCPShield (free) or NeoProtect – without switching hosts.

What is a DDoS Attack?

DDoS stands for Distributed Denial of Service. In a DDoS attack, your server is flooded with so many requests that it can no longer serve legitimate players.

The principle is simple: Imagine 10,000 people calling a pizza place at the same time. The phone line is blocked, real customers can't get through. That's exactly what happens in a DDoS attack – just with data packets instead of calls.

Why "Distributed"? The attack doesn't come from a single computer, but from hundreds or thousands simultaneously. These "botnets" often consist of hacked PCs and IoT devices. That makes it hard to block the attack – you can't just ban one IP.

Typical effects:

  • Server doesn't respond or is extremely slow
  • Players get kicked or can't join
  • Worst case: Server crashes completely
  • With weak protection: Your entire VPS goes offline

Important: A DDoS attack is illegal in most jurisdictions. Yet it happens regularly because "booter" services are available for a few euros and perpetrators are rarely caught.

Why Standard DDoS Protection Isn't Enough

Hetzner, Netcup and Contabo all have DDoS protection. But it's optimized for web traffic – HTTP/HTTPS on ports 80/443. Minecraft works differently.

Web DDoS ProtectionGaming DDoS Protection
ProtocolHTTP/HTTPSTCP/UDP (custom)
Ports80, 44325565, 19132, etc.
Traffic PatternRequest-ResponseContinuous Stream
Attack TypesHTTP Floods, SlowlorisUDP Floods, Nullping, Query Floods
At Hetzner/NetcupWell protectedBasic protection

Typical Attacks on Minecraft Servers

UDP Flood: Mass UDP packets overload the network card. Server becomes unreachable. Partially filtered by standard protection.

Nullping / Packet Crasher: Exploits specifically developed for Minecraft that crash the server. Not filtered.

Query Flood: Thousands of server status requests per second. Overloads the CPU. Not filtered.

Fake Handshake: Simulated player connections that never complete. Fills connection slots. Not filtered.

This isn't criticism of Hetzner or Netcup – they're optimized for web hosting. For public Minecraft servers you need additional protection.

Do I Even Need DDoS Protection?

Not every server needs extra protection. Here's an honest assessment:

ScenarioPlayersRiskRecommendation
Private server for friends5-10LowProbably not needed. IP isn't public.
Whitelist server, not listed10-30LowAs long as IP isn't known, low risk.
Public server, on server lists20+Medium to HighDDoS protection recommended. You're a visible target.
Large network, YouTube/Twitch presence100+HighDDoS protection is mandatory. You will be attacked.
Server with competition/dramaAnyHighCompeting servers or ex-players can be attackers.

Good to know: Most attacks don't come from hackers, but from bored teenagers with "booter" services for €10/month.

Solution 1: TCPShield (Free to Start)

TCPShield is the best-known DDoS protection for Minecraft. It works as a reverse proxy: Players connect to TCPShield, TCPShield filters and forwards to your server.

How It Works

Player → TCPShield (Filter) → Your VPS
  1. Player connects to play.yourdomain.com
  2. DNS points to TCPShield (CNAME record)
  3. TCPShield receives the traffic
  4. Malicious packets are filtered
  5. Legitimate traffic is forwarded to your real server IP
  6. Your real IP stays hidden

Pricing

PlanPriceFeatures
Free$01 backend server, 3 domains, basic DDoS protection, shared IPs
Pro~$20/monthUnlimited backends, dedicated IP, extended filtering, priority support

Advantages

  • Free plan for beginners
  • Easy setup (5 minutes)
  • Proven since 2015
  • Over 50,000 servers use TCPShield

Disadvantages

  • Latency +5-15ms (traffic takes detour)
  • Free plan has shared IPs
  • For BungeeCord/Velocity: Extra configuration needed

Setting Up TCPShield: Step by Step

1. Create Account

Go to tcpshield.com and register.

2. Create Network

Dashboard → Add Network

Name: e.g., "My MC Server"

3. Add Domain

Network Settings → Domains → Add Domain

Example: play.yourdomain.com

4. Add Backend Server

Backends → Add Backend

FieldValue
IP AddressYour VPS IP (e.g., 116.203.xxx.xxx)
Port25565

5. Configure DNS

At your DNS provider (Cloudflare, Namecheap, etc.):

TypeNameValue
CNAMEplayShown by TCPShield (e.g., abc123.tcpshield.com)

Important: No A record! Must be CNAME.

6. Configure Firewall (IMPORTANT!)

So only TCPShield can access your server:

# Block all Minecraft connections except from TCPShield
sudo ufw deny 25565/tcp

# Allow TCPShield IPs (current list at tcpshield.com/ips)
sudo ufw allow from 104.21.0.0/16 to any port 25565
sudo ufw allow from 172.67.0.0/16 to any port 25565
# ... more IPs from the TCPShield list

Without this step, an attacker who knows your real IP can bypass TCPShield!

7. Test

Connect to play.yourdomain.com instead of the direct IP. In the server log you'll now see TCPShield IPs instead of player IPs.

Extra: TCPShield with Velocity/BungeeCord

If you use a proxy, you need to install the TCPShield plugin:

  1. Download the TCPShield plugin (tcpshield.com/downloads)
  2. Copy it to your proxy's plugins folder
  3. Restart proxy
  4. The plugin restores the real player IPs

Solution 2: NeoProtect (Premium)

NeoProtect is a European alternative with focus on performance and stability. Particularly interesting: Frankfurt server location for minimal latency.

Features

  • Locations: Frankfurt, Amsterdam, London, Paris, and more
  • 0ms time-to-mitigation (always-on filter)
  • Customizable filter rules
  • Webhooks for attack notifications
  • Own panel with statistics

Pricing

PlanPriceFeatures
Starter~€10/month1 backend, 50 Mbit/s clean traffic, basic support
Pro~€25/month3 backends, 100 Mbit/s, priority support, custom rules

When to Choose NeoProtect?

  • You need lowest latency (Frankfurt location)
  • You want European support
  • The free TCPShield plan isn't enough anymore
  • You run a larger network

Other Alternatives

Cloudflare Spectrum

Enterprise solution from Cloudflare. Protects any TCP/UDP ports.

  • Price: From ~$20/month + traffic costs
  • Advantages: Cloudflare infrastructure, very reliable
  • Disadvantages: Expensive, traffic is billed, overkill for small servers
  • For whom: Large networks with budget

OVH Game DDoS

OVH has specialized gaming DDoS protection built-in.

  • Price: Included in server price
  • Advantages: No extra setup, specifically optimized for Minecraft
  • Disadvantages: Only if you switch to OVH, OVH more expensive than Hetzner
  • For whom: Those who need a new server anyway

Shockbyte (large Minecraft host) uses OVH for exactly this reason.

Cosmic Guard / Papyrus

Newer providers with focus on Minecraft.

  • Price: Varies
  • Advantages: Often cheaper prices than TCPShield Pro
  • Disadvantages: Less known, smaller infrastructure
  • For whom: Those who want to test alternatives

Bonus: Hide Your Real Server IP

DDoS protection is useless if the attacker knows your real IP. Here's how to hide it:

Never share the real IP: Always use the protected domain (play.yourdomain.com).

Delete DNS history: If the IP was ever in DNS, tools like SecurityTrails can find it. New IP at Hetzner: Delete server, create new one.

No services on the same IP: No web server, no Pterodactyl panel on the game server IP. Use separate IPs or servers.

Check server list entry: Some server lists show the IP. Only use those that show the domain.

Check player reports: Angry players sometimes share the IP in Discord. Keep an eye on that.

Warning: Once the IP is known, often only a server move to a new IP helps.

Which Protection Should You Choose?

SituationRecommendationReason
Small server, tight budgetTCPShield FreeFree, sufficient for most attacks
Medium server, low latency importantNeoProtect StarterFrankfurt location, professional support
Large network, budget availableTCPShield Pro or NeoProtect ProDedicated IPs, extended features
Maximum security, enterpriseCloudflare Spectrum or switch to OVHInfrastructure from world-class providers

Frequently Asked Questions

More Minecraft Guides

Minecraft Server Kosten 2026

Minecraft Server Kosten 2026

Managed Hosting vs VPS im Preisvergleich

Lesen
Aikar Flags & TPS Guide

Aikar Flags & TPS Guide

Server-Performance optimieren

Lesen
Pterodactyl Panel Setup

Pterodactyl Panel Setup

Game Panel auf eigenem VPS

Lesen

Server protected, but no VPS yet?

Compare VPS providers and find the right one for your Minecraft server.

Compare VPS

Related Articles

Minecraft Server Costs 2026: Hosting from €2.50 Compared
Vergleich

Minecraft Server Costs 2026: Hosting from €2.50 Compared

Optimize Minecraft Server 2026: Aikar Flags, RAM & TPS Guide
Tutorial

Optimize Minecraft Server 2026: Aikar Flags, RAM & TPS Guide

Set Up Pterodactyl Panel on Hetzner/Netcup: Complete Guide 2026
Tutorial

Set Up Pterodactyl Panel on Hetzner/Netcup: Complete Guide 2026