Running a self-hosted Barotrauma dedicated server is a labor of love. You set everything up, invite your crew, and then some jerk decides to flood your connection with amplified UDP garbage. Sound familiar? Let’s talk about one sneaky attack vector that’s hitting game servers hard right now: CoAP amplification.
What Is a CoAP Amplification Attack, Anyway?
CoAP (Constrained Application Protocol) runs on UDP port 5683 and was designed for lightweight IoT communication. The problem is that attackers can spoof your server’s IP and send tiny requests to exposed CoAP services, which respond with much larger packets — straight to your machine.
Your Barotrauma server doesn’t use CoAP at all. But if libcoap or any IoT-related service is running on the same host or network, you’re handing attackers a free amplifier pointed at your game server. That’s a serious problem.
Step One: Block UDP Port 5683 with iptables
The fastest thing you can do right now is drop all unsolicited CoAP traffic at the firewall level. Open your terminal and run these commands:
iptables -A INPUT -p udp --dport 5683 -j DROP
iptables -A INPUT -p udp --sport 5683 -j DROP
The first rule blocks incoming CoAP requests to your server. The second drops reflected CoAP responses that could be part of an amplification flood. Save your rules with iptables-save so they survive a reboot.
Don’t Forget IPv6
Run the same rules using ip6tables if your server has an IPv6 address. Attackers love targeting the IPv6 stack because admins often forget about it entirely.
Step Two: Harden or Remove libcoap
If libcoap is installed on your server host, either disable it completely or bind it strictly to localhost. There is zero reason a game server host should have CoAP exposed to the public internet.
Check running services with ss -ulnp | grep 5683. If you see something listening there, kill it, disable it, or restrict it with a firewall rule immediately. Leaving it open is like leaving a side door unlocked.
Step Three: Put Selectel’s BGP Scrubbing in Front of Everything
Local firewall rules are great, but volumetric attacks can saturate your uplink before iptables even sees the traffic. This is where upstream protection becomes essential.
Selectel offers BGP-announced DDoS scrubbing that reroutes your traffic through a cleaning center before it ever reaches your server. Malicious packets get filtered at the network level, and clean traffic passes through normally. For self-hosted game servers, this is one of the most effective layers you can add.
The combination of local iptables filtering plus upstream BGP scrubbing creates a defense-in-depth setup that handles both reflection and volumetric flood scenarios.
Wrapping Up: Don’t Wait Until You’re Already Down
CoAP amplification is a real and growing threat for self-hosted servers. The good news is that the mitigations are straightforward if you act before an attack happens.
If you need help designing a layered DDoS protection strategy for your Barotrauma server, professional consulting is available to walk you through the right setup for your specific environment.
Already under attack right now? Don’t waste time — open a support ticket immediately and let the experts help you get back online fast.
