Which port is attacked and how to prevent?

Hello dear Teamspeak users,

I have a problem that I’m struggling with because I can’t find the right solution. Our server has been under attack lately. I know there is no 100% protection against it, but I would like to contain it somehow. I marked what I mean in the picture - the incoming traffic.


Attacks are between 4 and 5 MiB/s - it is clear that the server is on its knees. The server listens on port 9988 and the query on 10022. Hence my assumption that the attack on these ports takes place when no one but myself is online.

I have reconfigured my IP tables several times, unfortunately without success. Do any of you have any advice on what else I could do? Our security level is already at 25 - but it won’t do anything if the attack comes from outside.

Thank you


No ideas?

What is important is to allow only those ports that are absolutely necessary and to have a well-configured firewall that can withstand larger attacks.

Its happening the same to my server, the server is ok but somehow you cant connect to the team speak server

A lot of incoming traffic

On our Teamspeak server, only the ports that must be allowed are allowed. Unfortunately, I also have no clue on which port these attacks take place, apart from port 10022. Port 10022 is also protected by a firewall with a limit. only I might be missing other settings, where I was hoping to get a tip here…

1 Like

Most attacks we receive are volumetric attacks and not protocol attacks, the only defence for those is to have a larger amount of bandwidth than the attacker has.

Protocol attacks needs a deep packet inspection and/or rate limiting solution to stop, which you’re usually going have to pay for, the only easy and simple thing you can do is use something like iptables to limit the number of packets that can be sent to the TeamSpeak server process at any time, for that you can look at something like conntrack and connlimit in iptables…

I don’t know if it was a typo, but the correct port for voice chat is 9987, not 9988. Apart from that, I guess your best bet will be to create a whitelist.