Protect Your Home Minecraft Server From DDOS Attacks with AWS

Want to run a Minecraft server from home without revealing your IP address? You can! Just set up a free proxy with Amazon Web Services to protect your server from denial-of-service attacks. We’ll show you how.

This guide will work for any game server, not just Minecraft. All it does is proxy traffic on a specific port. You just have to change Minecraft’s port 25565 to whichever port your game server runs on.

How Does This Work?

Let’s say you want to host a Minecraft server and have it open to the internet. It’s not that hard to run one. They’re easy to install, only use one processing thread, and even the heavily modded servers don’t take more than 2 to 3 GB of RAM with a few players online. You could easily run a server on an old laptop or in the background on your desktop computer rather than paying someone else to host it for you.

But for people to connect to it, you have to give out your IP address. This presents a few problems. It’s a major security risk, especially if your router still has the default admin password. It also leaves you open to distributed denial-of-service (DDOS) attacks, which would not only stop your Minecraft server but could shut off your internet, as well, until the attack subsides.

You don’t have to allow people to connect directly to your router. Instead, you can rent a small Linux box from Amazon Web Services, Google Cloud Platform, or Microsoft Azure—all of which have free tiers. This server doesn’t have to be strong enough to host the Minecraft server—it just forwards the connection for you. This allows you to give out the IP address of the proxy server instead of your own.

Say someone wants to connect to your server, so she types the IP address of your AWS proxy into her Minecraft client. A packet is sent to the proxy on port 25565 (Minecraft’s default port). The proxy is configured to match port 25565 traffic and forward it to your home router. This happens behind the scenes—the person connecting doesn’t even know.

Your home router must then be port-forwarded to forward the connection further to your actual PC. Your PC runs the server and responds to the client’s packet. It forwards it back to the proxy, and then the proxy rewrites the packet to make it look like the proxy is the one responding. The client has no idea this is happening and simply thinks the proxy is the system running the server.

It’s like adding another router in front of the server the same way your home router protects your computer. This new router, though, runs on Amazon Web Services and gets the full transport-layer DDOS mitigation that comes free with every AWS service (called AWS Shield). If an attack is detected, it’s mitigated automatically without bothering your server. If it isn’t stopped for some reason, you can always turn off the instance and cut the connection to your house.