In TeamSpeak 3, the main voice traffic runs on UDP port 9987.
Protecting UDP traffic is inherently difficult because UDP is connectionless and does not provide any handshake mechanism. As a result, when strict UDP protection is enabled, legitimate users often fail to join the server.
Proposed Solution
When a client attempts to connect to a TeamSpeak 3 server, a TCP-based verification step should be performed before allowing UDP traffic.
The client first sends a TCP request to a predefined port such as 443, 80, or a custom TCP port (e.g. 1234)
A standard TCP 3-way handshake is completed
After the handshake, the client’s real IP address is reliably identified
The IP address is then added to a temporary whitelist (for example, valid for 30–60 seconds)
Result
After successful TCP verification:
UDP traffic to port 9987 is automatically allowed
Legitimate users can connect without issues, even during UDP-based attacks
UDP protection becomes more stable, reliable, and effective
Advantages
More effective mitigation against UDP-based DDoS attacks
Prevents legitimate users from being blocked during server entry
Reliable IP verification using TCP
Reduced risk through time-limited whitelisting
Summary
With this approach:
Clients are verified via TCP first,
then UDP voice traffic is allowed in a controlled manner.
Final Note
So in summary, all that would be required is a small client-side update.
The TeamSpeak 3 client would simply need to send a TCP request before joining the server.
This lightweight TCP verification would allow the server or protection layer to perform a 3-way handshake, reliably identify the client’s IP address, and temporarily allow UDP traffic to port 9987.
No major architectural changes are needed — just a simple TCP request from the client, which could significantly improve UDP protection and overall user experience.
