Game Editions

Bedrock Edition

UDP/RakNet protocol support and attack mitigation for Minecraft Bedrock.

Protocol: UDP (RakNet) | DNS: CNAME | Firewall: IP, CIDR, and country

Bedrock uses RakNet over UDP, which is a completely different protocol from Java. We handle the full RakNet lifecycle:

  1. Unconnected Ping/Pong — Server list queries are answered at the edge. This prevents amplification attacks while keeping your server visible in server browsers.
  2. Connection Request — We validate RakNet open connection requests and assign session IDs to track each client.
  3. Session Tracking — We maintain per-client state to tell legitimate players apart from flood traffic. Connections without valid session state get dropped.
  4. Data Forwarding — Established sessions are forwarded to your backend.

Attack mitigation

Bedrock servers face a different set of attacks than Java:

  • UDP amplification — Attackers abuse the unconnected pong response to amplify traffic. We rate-limit pong responses per source IP.
  • Connection exhaustion — Floods of RakNet open connection requests. We track session state and reject duplicates.
  • Malformed datagrams — Garbage UDP packets that crash poorly written server software. Dropped at the parser level.
  • Session hijacking — Attempts to inject packets into existing sessions. We verify session IDs on every packet.

Compatibility

Works with Bedrock Dedicated Server (BDS), PocketMine-MP, Nukkit, PowerNukkitX, and other Bedrock server implementations.

Firewall note: Bedrock rules support IP, CIDR, and country conditions. Protocol version and username pattern rules aren't available because RakNet doesn't expose this information before the connection is established.

Java Edition

TCP protocol support, bot detection, and compatibility for Minecraft Java.

Geyser (Cross-Play)

Dual TCP+UDP proxy for Geyser cross-play servers.

On this page

Attack mitigationCompatibility