[Mauzen]

Quote:

Originally Posted by Vince Instead of selectively blocking traffic like a blacklist, selectively allow traffic like a whitelist. You only need to allow UDP packets on port 7777. Drop everything else. Assuming that localhost and SSH traffic is allowed by default, you only need two rules: Rule #1: Allow UDP traffic on port 7777 Rule #2: Drop any traffic on any port

SA-MP traffic is not just on port 7777. Clients get an unique port assigned on connection, you cant efficiently connect multiple remote clients to the same port (without further effort). So if im not completely wrong, blocking everything but the server port would mean players can still query the server, and attempt to connect to it, but they couldnt ever join the server.
The server doesnt listen on ports that werent sent to a player anyways, so just blocking everything wont change a thing, the dDOS just needs to target a port that isnt blocked, they usually dont target any ports except the server port (7777) anyways afaik.

What youll need is a connection limiter script (bash) that automatically reacts to excessive traffic from a single client, and drops its packets then. This will reduce the effect of a dDOS, as the attack just spams the connection then, but does not block the server, as the packets never reach it. Depending on the server's performance and the connection speed this can completely nullify the effects of a common small-scale dDOS.