Running a self-hosted Arma Reforger dedicated server is a labor of love. You’ve spent time configuring mods, building a community, and keeping the server stable — the last thing you need is a WS-Management reflection amplification attack knocking everything offline.
Let’s talk about what’s actually happening, and more importantly, what you can do about it right now.
What Is a WinRM Reflection Amplification Attack?
WS-Management (WinRM) runs on TCP/UDP ports 5985 and 5986. Attackers can abuse exposed WinRM services to reflect and amplify traffic toward a target — your game server. The attacker spoofs the source IP, the WinRM responder floods your server with replies, and suddenly you’re drowning in junk traffic.
It’s not exotic. Any publicly exposed WinRM port is a potential weapon in someone else’s hands, and game server hosts are increasingly on the target list.
Step One: iptables Ingress Filtering on Ports 5985 and 5986
Your first line of defense is simple: block inbound traffic on WinRM ports at the firewall level. If your server doesn’t need to receive WinRM traffic from the internet, don’t let it.
Quick iptables Rules to Apply
Run these commands as root on your Linux host:
iptables -A INPUT -p tcp --dport 5985 -j DROP
iptables -A INPUT -p udp --dport 5985 -j DROP
iptables -A INPUT -p tcp --dport 5986 -j DROP
iptables -A INPUT -p udp --dport 5986 -j DROP
Save your rules with iptables-save so they survive reboots. This won’t stop volumetric floods upstream, but it eliminates your server as an amplification reflector and blocks reflected traffic from consuming local resources.
Step Two: Harden Your WinRM Service Exposure
If you genuinely need WinRM for remote management, restrict it properly. Bind the service only to trusted internal IPs and use Windows Firewall or your host’s security group to whitelist management subnets exclusively.
Disable WinRM entirely if you’re managing the server another way — there’s no reason to leave it listening publicly. A service that isn’t running can’t be abused.
Practical Hardening Tips
• Use SSH or a VPN tunnel for remote server access instead of WinRM over open internet.
• Audit your firewall rules quarterly — old management ports have a habit of lingering.
• Monitor port 5985/5986 traffic in your logs for unexpected spikes.
Step Three: Add Deflect as a BGP-Announced Scrubbing Layer
iptables rules protect your server locally, but volumetric attacks saturate your upstream bandwidth before packets even reach your machine. This is where an upstream scrubbing service like Deflect becomes critical.
Deflect announces your IP space via BGP, rerouting traffic through scrubbing centers that filter attack traffic before it hits your network. Legitimate Arma Reforger players reach your server normally — attack traffic gets dropped at the edge.
This layer is especially valuable for community-run servers without enterprise-grade uplinks. If you’re serious about uptime, upstream protection isn’t optional.
Don’t Wait Until You’re Already Down
WinRM reflection attacks can escalate fast. Combining iptables ingress filtering, WinRM hardening, and an upstream scrubbing layer like Deflect gives you defense in depth that actually holds under pressure.
If you’d like help assessing your current exposure or configuring these protections correctly, professional DDoS protection consulting is available and can save you hours of painful trial and error.
Already under attack? Don’t sit on it — open a support ticket right now and get expert eyes on your situation before the situation gets worse.
