Java Edition vs Bedrock Edition DDoS Protection: What's Different

Two Worlds, One Block

Minecraft exists in two main versions: Java Edition and Bedrock Edition. For players the difference might seem cosmetic, but under the hood these are completely different networking protocols, different architectures, and consequently, different threats. If you run a server and are thinking about DDoS protection, you need to understand these differences.

TCP vs UDP: The Fundamental Difference

Java Edition runs over TCP. This is a reliable protocol with delivery confirmation, connection establishment, and flow control. From a protection standpoint, this is good news: TCP traffic is easy to proxy, route, and filter. Decades of networking infrastructure development have created mature tools specifically for TCP.

Bedrock Edition uses UDP through its own implementation of the RakNet protocol. UDP does not establish connections in the traditional sense. Packets simply fly from client to server without a handshake. This makes proxying Bedrock traffic significantly harder: you cannot just put a TCP proxy in front of the server, you need specialized UDP tunnels and non-standard solutions.

Different Attacks for Different Protocols

Attacks on Java servers typically follow several patterns:

• SYN flood - a classic TCP attack that overwhelms the server with connection establishment requests
• Fake player connections - botnets simulate real players, pass through the handshake, and create load on the game engine
• Slowloris and similar - slow attacks that keep connections open and exhaust server limits
• Minecraft protocol-level attacks - specially crafted packets that exploit data processing quirks

The Bedrock situation is different:

• UDP amplification - the attacker sends a small request, but a large volume of traffic is generated in response
• Source spoofing - forging the sender IP address, which is nearly impossible with TCP but trivial with UDP
• RakNet session flood - attempts to overload the session handler
• Reflected attacks - using the server as an amplifier to attack a third party

How MineGuard Handles Both

For Java Edition, MineGuard works as a transparent TCP proxy. All traffic passes through our filtering nodes where it is analyzed for anomalies. Legitimate connections are forwarded to your server; malicious ones are dropped before reaching their target. Proxy Protocol support lets your server see the real IP addresses of players, which is critical for bans and moderation.

For Bedrock, the task is harder. UDP traffic cannot be proxied using classical methods, so we use specialized processing mechanisms adapted to the protocol specifics. Filtering happens at the network level with minimal latency to avoid impacting gameplay.

In both cases, our system learns from the traffic patterns of your specific server. Normal activity patterns for a 500-player PvP server are very different from a calm 30-player RP server, and the protection accounts for this.

Geyser and Crossplay: The Third Scenario

A separate topic is servers running the Geyser plugin, which lets Bedrock players connect to a Java server. Technically it works like this: the Bedrock client connects via UDP, Geyser converts the traffic to the Java protocol, and from there everything goes over TCP.

From a protection standpoint, this means two attack vectors at once. The Java server port needs TCP attack protection, while the Geyser port needs UDP attack protection. MineGuard supports protecting both ports within a single configuration, so you do not need to set up two separate solutions.

An important detail: if Geyser runs as a plugin on the server itself (rather than as a standalone proxy), both ports are open on the same machine. This means a successful DDoS attack on either port will affect all players regardless of their version. Keep this in mind when planning your architecture.

Proxy Protocol: Not All Equal

Proxy Protocol is widely supported in the Java Edition ecosystem. BungeeCord, Velocity, Paper - all major server platforms can accept real IP information via Proxy Protocol. This makes integration with DDoS protection nearly seamless.

The Bedrock situation is worse. The standard Bedrock Dedicated Server does not support Proxy Protocol out of the box. Some alternative implementations like Dragonfly have added support, but it is not yet standard. If seeing real Bedrock player IPs is critical for you, make sure your server software supports it.

Latency: Milliseconds Matter

Any intermediate node adds latency. For Java Edition, where TCP already involves handshakes and acknowledgments, the additional latency from a proxy is typically 1-3ms and virtually unnoticeable.

For Bedrock, everything is more sensitive. UDP was chosen by the developers precisely for minimal latency, and every extra millisecond is felt more acutely. Players on mobile devices and consoles expect quick response times. So when choosing DDoS protection for Bedrock, the geography of filtering nodes is especially important. The closer the node to your server, the lower the overhead.

MineGuard places filtering nodes in key data centers across Europe, which minimizes latency for most servers.

Recommendations for Server Owners

If you only run Java Edition:

• Use a proxy chain (Velocity/BungeeCord) in front of your main server
• Enable Proxy Protocol to preserve real IPs
• Set connection limits at the proxy level
• Regularly update your server software - older versions often contain packet processing vulnerabilities

If you only run Bedrock Edition:

• Make sure your protection supports UDP filtering, not just TCP
• Check if your server software supports Proxy Protocol
• Monitor outbound traffic - your server could be used for attack amplification

If you run crossplay (Java + Geyser):

• Protect both ports: TCP for Java and UDP for Geyser
• If possible, run Geyser on a separate proxy server
• Test latency for Bedrock players separately from Java

Bottom Line

Protecting a Java server and a Bedrock server are two different tasks requiring different tools. Java TCP traffic is easier to filter and proxy; Bedrock UDP traffic creates additional challenges. A unified solution that works equally well with both protocols saves time and headaches. MineGuard was built with exactly this approach: one panel, one configuration, full protection for any version of Minecraft.