Running a self-hosted Satisfactory dedicated server is genuinely fun — until someone decides to ruin the party with a UDP flood attack. Suddenly your factory grinds to a halt, your friends get kicked, and you’re staring at a terminal wondering what just happened.
The good news? You can layer multiple defenses together to make your server dramatically more resilient. Let’s walk through a practical approach using tc-tbf traffic shaping, nftables rate limiting, and upstream BGP scrubbing via Combahton.
Why Satisfactory Servers Are a Target
Satisfactory uses UDP for its game traffic, which is fast but stateless — meaning there’s no handshake to verify where packets are coming from. Attackers exploit this by flooding your server with junk UDP packets, exhausting your bandwidth or CPU before real players ever connect.
Spike-based attacks are especially nasty. Instead of a steady stream, they hit in short, violent bursts designed to overwhelm your server before any automated mitigation even wakes up.
Layer 1: tc-tbf Traffic Shaping on Linux
The Token Bucket Filter (TBF) in Linux’s tc (traffic control) subsystem lets you cap incoming or outgoing traffic rates at the kernel level. Think of it like a bouncer that only lets a certain number of packets through per second, with a small “burst” allowance for legitimate spikes.
For a Satisfactory server, you’d typically apply TBF on your network interface to smooth out incoming UDP traffic. This won’t stop a massive flood entirely, but it protects your CPU and application layer from being instantly overwhelmed.
Quick Tip
Start conservative with your burst size. Too large and you negate the protection; too small and legitimate players experience lag. Monitor real traffic patterns for a few days before tuning.
Layer 2: nftables Connection Rate Limiting
Once traffic hits your server, nftables is your next line of defense. You can write rules that drop UDP packets exceeding a defined rate per source IP — effectively throttling or blocking abusive senders without touching legitimate game clients.
A simple nftables rule can limit new UDP connections to your game port to a sane number per second per source address. This is surprisingly effective against amplification and reflection floods where individual source IPs still show up repeatedly.
Quick Tip
Always whitelist your own IP and trusted players before enabling aggressive rate limits. Nothing kills a gaming session faster than accidentally blocking your friends.
Layer 3: Combahton BGP Scrubbing as Your Upstream Shield
Both tc-tbf and nftables work on traffic that’s already reached your server. For truly large volumetric attacks, you need mitigation upstream — before the flood ever hits your pipe.
Combahton offers BGP-announced DDoS scrubbing, meaning attack traffic gets rerouted to their scrubbing centers and cleaned before delivery. This is especially valuable for spike-based UDP floods that can saturate your upstream link in seconds.
If you need help configuring BGP scrubbing, routing policies, or tuning your nftables ruleset, professional DDoS protection consulting is available to walk you through it step by step.
Conclusion: Don’t Wait Until You’re Under Attack
Layering tc-tbf, nftables, and upstream BGP scrubbing gives you defense-in-depth that’s genuinely hard to punch through. Set it up now, while things are calm.
Already under attack and watching your server melt in real time? Don’t wait — open a support ticket right now and get expert eyes on your situation before your whole session is wiped out.
