Gate is a Minecraft reverse proxy that connects players to backend servers. This means that the backend server might be exposed to the Internet if they listen on public IPs and players could bypass your Gate instance without authentication.
To prevent this, you should configure your backend servers to only listen on private IPs and/or use a firewall to only allow connections from your Gate instance. You can also enable modern forwarding mode (Velocity mode) with using a secret and PaperMC to prevent players from connecting to your backend servers directly.
This does not apply to Lite mode, where backend servers should do the authentication.
DDoS Protecting your Minecraft server
If you are running a high-profile public Minecraft server, and you are not using Connect, having a good DDoS protection is essential to prevent your server from being taken offline.
If you are under attack, your server will be lagging, become unresponsive and timeout players. This is not good for your player experience nor your brand.
There are many ways to protect your server from DDoS attacks. Here are common methods proven to work very well in production:
OVHcloud Anti-DDoS cheap & reliable
OVH is a well known service provider that offers a very good DDoS protection service for your servers.
You don't need to host all your Minecraft servers on OVH, but you can set up Gate Lite on a tiny VPS instance and forward all your traffic to your backend servers.
OVH Anti-DDoS setup
- Create a VPS instance (any provider with good Anti-DDoS)
- Install Gate on your VPS with Lite mode enabled to point to your actual servers (not required)
- Activate Anti-DDoS in the OVH dashboard for your VPS
- Configure your DNS to point your domain to your VPS IP address
Cloudflare Spectrum very costly
Cloudlare is a well known service provider with global scale DDoS protection for TCP services using Cloudflare Spectrum
TCPShield uses OVH
TCPShield is a Minecraft proxy service that uses OVH's DDoS protection. It is free for small servers.