Protect Your Home Minecraft Server From DDOS Attacks with AWS

Quick Links

Want to run a Minecraft server from home without revealing your IP address? You can! Just set up a free proxy with Amazon Web Services to protect your server from denial-of-service attacks. We’ll show you how.

This guide will work for any game server, not just Minecraft. All it does is proxy traffic on a specific port. You just have to change Minecraft’s port 25565 to whichever port your game server runs on.

How Does This Work?

Let’s say you want to host a Minecraft server and have it open to the internet. It’s not that hard to run one. They’re easy to install, only use one processing thread, and even the heavily modded servers don’t take more than 2 to 3 GB of RAM with a few players online. You could easily run a server on an old laptop or in the background on your desktop computer rather than paying someone else to host it for you.

But for people to connect to it, you have to give out your IP address. This presents a few problems. It’s a major security risk, especially if your router still has the default admin password. It also leaves you open to distributed denial-of-service (DDOS) attacks, which would not only stop your Minecraft server but could shut off your internet, as well, until the attack subsides.

You don’t have to allow people to connect directly to your router. Instead, you can rent a small Linux box from Amazon Web Services, Google Cloud Platform, or Microsoft Azure—all of which have free tiers. This server doesn’t have to be strong enough to host the Minecraft server—it just forwards the connection for you. This allows you to give out the IP address of the proxy server instead of your own.

Related: What’s the Difference Between a DOS and DDoS Attack?

Say someone wants to connect to your server, so she types the IP address of your AWS proxy into her Minecraft client. A packet is sent to the proxy on port 25565 (Minecraft’s default port). The proxy is configured to match port 25565 traffic and forward it to your home router. This happens behind the scenes—the person connecting doesn’t even know.

Your home router must then be port-forwarded to forward the connection further to your actual PC. Your PC runs the server and responds to the client’s packet. It forwards it back to the proxy, and then the proxy rewrites the packet to make it look like the proxy is the one responding. The client has no idea this is happening and simply thinks the proxy is the system running the server.

It’s like adding another router in front of the server the same way your home router protects your computer. This new router, though, runs on Amazon Web Services and gets the full transport-layer DDOS mitigation that comes free with every AWS service (called AWS Shield). If an attack is detected, it’s mitigated automatically without bothering your server. If it isn’t stopped for some reason, you can always turn off the instance and cut the connection to your house.

To handle the proxying, you use a utility called sslh. It’s intended for protocol multiplexing; if you wanted to run SSH (usually port 22) and HTTPS (port 443) on the same port, you’d run into issues. sslh sits in front and redirects ports to the intended applications, solving this problem. But it does this at the transport layer level, just like a router. This means we can match Minecraft traffic and forward it to your home server. sslh is, by default, nontransparent, which means it rewrites packets to hide your home IP address. This makes it impossible for anyone to sniff it out with something like Wireshark.

Create and Connect to a New VPS

To get started, you have set up the proxy server. This is definitely easier to do if you have some Linux experience, but it isn’t required.

Head to Amazon Web Services and create an account. You have to provide your debit or credit card info, but this is only to prevent people from making duplicate accounts; you aren’t charged for the instance you’re creating. The free tier does expire after a year, so make sure you turn it off after you’re finished with it. Google Cloud Platform has an


 instance available for free all the time if you’d rather use that. Google also offers a $300 credit for a year, which you could actually use to run a proper cloud server.

AWS does charge a bit for bandwidth. You get 1 GB free, but you’re taxed $0.09 per GB for anything over that. Realistically, you probably won’t go over this, but keep an eye on it if you see a 20-cent charge on your bill.

After you create your account, search for “EC2.” This is AWS’s virtual server platform. You might have to wait a bit for AWS to enable EC2 for your new account.

Type "EC2" in the search bar on AWS's virtual server platform.

From the “Instances” tab, select “Launch Instance” to bring up the launch wizard.

Click "Instances," and then select "Launch Instance."

You can select the default “Amazon Linux 2 AMI” or “Ubuntu Server 18.04 LTS” as the OS. Click next, and you’re asked to select the instance type. Select


, which is the free tier instance. You can run this instance 24/7 under AWS’s free tier.

Select "t2.micro."

Select “Review and Launch.” On the next page, select “Launch,” and you see the dialog box below. Click “Create a New Key Pair,” and then click “Download Key Pair.” This is your access key to the instance, so don’t lose it—place it in your Documents folder for safekeeping. After it downloads, click “Launch Instances.”

 Click "Create a New Key Pair," and then click "Download Key Pair." After it downloads, click "Launch Instances."

You’re brought back to the instances page. Look for your instance’s IPv4 Public IP, which is the address of the server. If you’d like, you can set up an AWS Elastic IP (which won’t change across reboots), or even a free domain name with, if you don’t want to keep coming back to this page to find the address.

Look for your instance's IPv4 Public IP.

Save the address for later. First, you need to edit the instance’s firewall to open port 25565. From the Security Groups tab, select the group your instance is using (probably launch-wizard-1), and then click “Edit.”

Click the "Security Groups" tab, and then select the group (probably "Launch-Wizard-1") your instance is using.

Add a new Custom TCP rule and set the port range to 25565. The source should be set to “Anywhere,” or 


Add a new Custom TCP rule and set the port range to 25565. The source should be set to (or "Anywhere").

Save the changes, and the firewall updates.

We’re now going to SSH into the server to set up the proxy; if you’re on macOS/Linux, you can open up your terminal. If you’re on Windows, you have to use an SSH client, like PuTTY or install the Windows Subsystem for Linux. We recommend the latter, as it’s more consistent.

The first thing you should do is 


 to your documents folder where the keyfile is:

cd ~/Documents/

If you’re using Windows Subsystem for Linux, your C drive is located at /mnt/c/, and you have to cd down to your documents folder:

cd /mnt/c/Users/username/Documents/

Use the -i flag to tell SSH you want to use the keyfile to connect. The file has a .pem extension signifying that it is a PEM file, so you should include that:

ssh -i keyfile.pem ec2-user@

Replace “” with your IP address. If you made an Ubuntu server rather than AWS Linux, connect as user “ubuntu.”

You should be granted access and see your command prompt change to the server’s prompt.

Configure SSLH

You want to install sslh from the package manager. For AWS Linux, that would be yum, for Ubuntu, you use apt-get. You might have to add the EPEL repository on AWS Linux:

sudo yum install epel-release

sudo yum install sslh

Once it’s installed, open the config file with nano:

nano /etc/default/sslh

Change the RUN= parameter to “yes”:

A "RUN=yes" command in a terminal window.

Below the final DAEMON line, type the following:

DAEMON_OPTS="--user sslh --listen --anyprot your_ip_address:25565 --pidfile /var/run/sslh/

Replace “your_ip_address” with your home IP address. If you don’t know your IP, search “what is my IP address?” on Google—yes, seriously.

This configuration makes the sslh proxy listen on all network devices on port 25565. Replace this with a different port number if your Minecraft client uses something different, or you play a different game. Usually, with sslh, you match different protocols and route them to different places. For our purposes, though, we simply want to match all possible traffic and forward it to your_ip_address:25565.

Press Control+X, and then Y to save the file. Type the following to enable sslh:

sudo systemctl enable sslh

sudo systemctl start sslh

If systemctl isn’t available on your system, you might have to use the service command instead.

sslh should now be running. Make sure your home router is port forwarding and sending 25565 traffic to your computer. You might want to give your computer a static IP address so this doesn’t change.

To see if people can access your server, type the proxy’s IP address into an online status checker. You can also type your proxy’s IP into your Minecraft client and try to join. If it doesn’t work, make sure the ports are open in your instance’s Security Groups.

Leave a Reply

Your email address will not be published. Required fields are marked *