TCPShield uses proprietary mitigation strategies to give server owners the peace of mind in knowing their networks are safeguarded from attacks. All of these features aim to protect your server from a variety of denial of service attacks at every layer in the network stack.
In it's simplest form, TCPShield protects you from network-layer TCP and UDP floods. Common things like SYN floods, as well as UDP based reflection / amplification floods are immediately blocked at our edge. TCPShield is an anycasted network, meaning we stop attacks as close to the source as possible.
The main goal of attackers is to consume resources of your network to where it grinds to a halt. There are some of these attack vectors that can be found directly in the Minecraft protocol itself. Without giving out specifics, we preform checks against incoming Minecraft clients to ensure they behave like a real Minecraft player and not an attacker. This includes things like ping attacks, encryption attacks, and large amounts of server joins.
The TCPShield plugin hides your IP address your BungeeCord/Spigot is running on by ensuring all connections incoming are authorized from the TCPShield network. At any given moment, thousands of devices are scanning the internet looking for open ports and logging information about it. Such systems can expose the backend IP address in order to directly attack your network, circumventing TCPShield as a whole. In addition, our plugin actively protects you from other known protocol vulnerabilities which have yet to be patched by many Spigot versions.
As TCPShield accepts incoming connections to your server, players can be equally distributed to any number of backend servers. In other words, you can run multiple BungeeCord instances without the need for HAProxy and simply rely on TCPShield to do this for you. Simply insert multiple IP's for a single domain and TCPShield takes care of the rest, making it easier than ever to scale your network to meet demands.