Game Server DDoS Protection & Performance Tuning

Threat Model for Game Servers

Before configuring defenses, understand what VPS-level protection can and cannot stop:

Attack Type	Description	VPS-Level Defense
UDP amplification	Most common for game servers	Rate limiting helps
TCP SYN flood	Connection exhaustion	SYN cookies + sysctl
Application-layer	Bot spam, login brute-force	Fail2ban effective
Volumetric (100+ Gbps)	Saturates upstream link	Requires upstream DDoS protection

Be honest with expectations: VPS-level protection handles targeted harassment and small-scale attacks. For large volumetric DDoS, you need upstream protection - consider RamNode's DDoS-filtered IP add-on.

UFW Hardening

Default deny incoming, then allow only what your servers need:

Complete UFW ruleset for Pelican + multi-game

ufw default deny incoming
ufw default allow outgoing

# Management
ufw allow 22/tcp       # SSH
ufw limit 22/tcp       # Rate limit SSH (6 attempts per 30 sec)
ufw allow 80/tcp       # Panel HTTP
ufw allow 443/tcp      # Panel HTTPS
ufw allow 2022/tcp     # Wings daemon

# Game servers
ufw allow 25565/tcp    # Minecraft Java
ufw allow 19132/udp    # Minecraft Bedrock
ufw allow 2456:2458/udp # Valheim
ufw allow 8211/udp     # Palworld

ufw enable

ufw limit works for SSH but is insufficient for UDP game traffic - use iptables hashlimit for UDP ports (next section).

iptables Rate Limiting (UDP)

Per-IP UDP rate limiting prevents a single source from flooding your game ports:

iptables hashlimit rules for game ports

# Rate limit Valheim UDP to 100 packets/sec per source IP
iptables -I INPUT -p udp --dport 2456:2458 \
  -m hashlimit --hashlimit-name valheim \
  --hashlimit-above 100/sec \
  --hashlimit-mode srcip \
  --hashlimit-burst 200 \
  -j DROP

# Rate limit Palworld UDP similarly
iptables -I INPUT -p udp --dport 8211 \
  -m hashlimit --hashlimit-name palworld \
  --hashlimit-above 100/sec \
  --hashlimit-mode srcip \
  --hashlimit-burst 200 \
  -j DROP

# Save rules persistently
apt install -y iptables-persistent
netfilter-persistent save

The --hashlimit-burst allows initial bursts (important for game connections) while capping sustained traffic.

Fail2ban for Game Servers

Fail2ban is most effective for SSH, the Panel web interface, and Minecraft auth logs:

Install and configure fail2ban

apt install -y fail2ban

# Create local config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

/etc/fail2ban/jail.local - key sections

[sshd]
enabled = true
port = 22
maxretry = 5
bantime = 3600

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600

Restart fail2ban

systemctl restart fail2ban
fail2ban-client status

Note: fail2ban is less relevant for UDP game ports (no login handshake to detect), but critical for protecting the Panel and SSH.

Kernel / sysctl Tuning

Optimize the kernel for high-throughput UDP game traffic:

/etc/sysctl.d/99-gameserver.conf

# Increase UDP receive/send buffers
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.core.rmem_default = 65536
net.core.netdev_max_backlog = 262144

# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 65536
net.ipv4.tcp_fin_timeout = 15

# Reverse path filtering (blocks spoofed source IPs)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

Apply immediately

sysctl -p /etc/sysctl.d/99-gameserver.conf

What each setting does:

rmem_max/wmem_max - Larger UDP buffers prevent packet drops during traffic spikes
tcp_syncookies - Protects against SYN flood attacks without consuming connection table entries
rp_filter - Drops packets with spoofed source IPs, common in amplification attacks
tcp_fin_timeout - Faster cleanup of dead connections frees resources sooner

Docker Network Optimization

Tune Docker networking for game server traffic:

Set Docker network MTU to match your VPS network (usually 1500)
Increase net.core.netdev_max_backlog for high-traffic containers
Per-container sysctls can be set via docker-compose or Pelican Panel environment variables

CPU Governor + IRQ Affinity

Set the CPU governor to performance mode for consistent game server responsiveness:

Set CPU governor to performance

apt install -y cpufrequtils
cpufreq-set -g performance

# Verify
cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

For multi-core VPS, you can pin network IRQs to specific cores to reduce interrupt overhead:

Check network interrupt distribution

cat /proc/interrupts | grep eth

This matters for game servers with bursty packet rates - especially Valheim and Palworld during combat or base raids.

Disk I/O for Game Servers

Optimize disk I/O for NVMe SSDs:

I/O scheduler and mount options

# Set I/O scheduler to mq-deadline for NVMe
echo mq-deadline > /sys/block/nvme0n1/queue/scheduler

# Set game server processes as I/O priority
ionice -c2 -n0 -p $(pgrep -f valheim_server)

# Add noatime to game world mount points in /etc/fstab
# Reduces inode write overhead from world saves

Monitoring Under Load

When you suspect an attack or performance issue:

Real-time monitoring commands

# Monitor bandwidth in real time
nload
# or
iftop -i eth0

# Check for packet drops
cat /proc/net/softnet_stat

# UDP error statistics
netstat -s | grep -i udp

# Set up bandwidth alerting
apt install -y vnstat
vnstat -l  # live traffic monitor

Series Complete

You now have a production-ready game server infrastructure: Pelican Panel for management, Minecraft with crossplay, Valheim and Palworld with auto-restart and backups, multi-game resource isolation, and DDoS protection with kernel tuning.

As your community grows, resize your VPS without reinstalling - RamNode supports live plan upgrades.

View Cloud VPS Plans More Deployment Guides

Part 4: Multi-Game Management

This guide is part of the Game Server Hosting series:

Part 1: Pelican Panel Setup Part 2: Minecraft Java + Bedrock Part 3: Valheim & Palworld Part 4: Multi-Game ManagementPart 5: DDoS Protection & Tuning (you are here)