DoS is a cyber attack trying to deny service getting accessed, hence the name. It works by exploiting vulnerabilities on system architecture.
Well orchestrated DoS can get any service down pretty easily and latency dependent services like game servers extremely vulnerable to DoS.
DoS against game servers will cause unstable ping and in most cases will also increase packet loss to very high levels or even kills entire connection to the game server.

These are Volumetric, Protocol and Application attacks.
According to Arbor Networks over half of DoS attack nowadays are pure volumetric attacks.

Volumetric attacks are designed to strain targets all networks resources simply by flooding the connection. Flooding is usually archived by spamming null payload UDP or TCP packets to the victim. If sent packets use more bandwidth than the victim have, his connection will cripple down.

Protocol attacks are more advanced than just pure flooding because it exploits the weakness in Layer 3 and 4 protocol stack (Network and Transport layer). Protocol attacks aren't trying to consume all the available bandwidth but they are designed to take down firewalls and routers standing between the attack and the victim.
Most used way to achieve protocol attack is to send SYN-packets to the target which will cause TCP buffer overflow and firewall/router needs to spend all available CPU-cycles trying to manage opened TCP connections.

The last type of DoS is the application attack. It is the most sophisticated of all these as it needs a lot of knowledge of the target system.
It is trying to strain resources on application level causing the most damage to the victim server. Vulnerable services on a game server to this are for example web server and game server's rcon-protocol.

Mitigating DoS-attacks is always challenging but on game servers, it is even tougher to manage because it can't stand added delay caused by Layer-3 DoS-protection services.


Successful DoS-protection always breakdown to one component: block malicious attacks as far from the server as possible. For example, UDP-flood can't do harm to the server if it is blocked by the Carrier network.

So you should aim to set up your defenses away from the server to the actual network but this isn't always possible for services like virtual servers.

Protecting your services is simple: minimize the attack surface. Block all ports and only allow the ones that you actually need and use. You also should setup non-public services like management to respond only to trusted IP's.
Large enough attack will always cause something to fail. The best option is that your server is the strongest link on the chain but that doesn't help if your carrier's networks fail under stress.

Set up firewall policy to discard every packet by default and allow only the ones needed.
For example CS:GO servers only need 1 port to work properly.
Same port will be used for gameplay traffic and rcon so we need to allow UDP and TCP packets on port 27015 for CS:GO server.
Another example is Teamspeak 3-server. It uses by port 9987 for voice data and port 10011 for rcon query.
As we don't want to increase attack surface we only allow voice data to pass firewall by allowing UDP on port 9987.
As game servers often require a web server for additional downloads we need to also secure it.
Web servers use ports 80 and 443 by default, add a rule for them using TCP.

As TCP is three-way handshaked protocol we need to allow it to use ephemeral port range.
The standard ephemeral port range on Unix-systems is 32768-65535. We don't want it to be vulnerable to SYN-flood so we only allow established connections on it.
This can be done by setting the firewall to accept on TCP packets stated to ACK.