Skip to content
ProtocolPorts

Port reference

Port 27015 (UDP/TCP) – Source / Steam game server

Default port for Source engine and Steam dedicated game servers, carrying game traffic, A2S server queries, and SourceTV/RCON.

udptcpRegisteredCommonly attacked

Default state

Open on Source engine and Steam dedicated servers (CS:GO, TF2, Garry's Mod). Commonly exposed directly to the internet for public play.

Common attacks

  • A2S query reflection/amplification DDoS using spoofed source IPs
  • Volumetric DDoS to knock game servers offline
  • RCON brute force and abuse for server takeover
  • Malformed query/packet flooding causing crashes

Hardening

  • Rate-limit and filter A2S queries to blunt reflection abuse
  • Set a strong RCON password and restrict RCON source IPs
  • Front the server with DDoS scrubbing and connection rate limits
  • Keep the game server software patched against query parser bugs
  • Disable unused query/SourceTV ports and run as an unprivileged user

nmap snippet

nmap -sU -p27015 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 27015?

Port 27015 is the default for Source engine and Steam dedicated game servers — CS:GO, Team Fortress 2, Garry's Mod and more. Over UDP it carries game traffic and the A2S server query interface (A2S_INFO, A2S_PLAYER) used by server browsers, while TCP handles RCON remote administration and SourceTV. Public servers expose it directly to the internet.

Why it matters for security

The A2S query interface returns responses larger than the request, making 27015 a classic source of UDP reflection/amplification DDoS: attackers spoof a victim's IP and bounce amplified replies off many game servers. The servers themselves are also volumetric DDoS targets, and an exposed RCON with a weak password leads to full server takeover.

How it's attacked

Attackers send spoofed A2S queries to harvest amplified replies aimed at a victim, and flood individual servers with volumetric DDoS to knock them offline. They brute-force RCON for server control and send malformed packets to crash vulnerable query parsers.

Hardening checklist

Rate-limit and filter A2S queries to blunt reflection abuse, and front the server with DDoS scrubbing plus connection rate limits. Set a strong RCON password and restrict RCON source IPs. Keep the server software patched against query parser bugs, disable unused query/SourceTV ports, and run as an unprivileged user. Use the nmap snippet above only against servers you operate.

Related ports

Port 27016Port 27005Port 25565

Frequently asked questions

Why is port 27015 used in DDoS reflection?
Source servers answer A2S queries (A2S_INFO/A2S_PLAYER) with responses larger than the request. An attacker spoofs the victim's IP, sends queries to many servers, and the amplified replies flood the victim — a UDP reflection/amplification attack.
Does port 27015 use TCP or UDP?
Primarily UDP for game traffic and A2S queries, with TCP used for RCON and some services. The UDP query interface is what makes it abusable for amplification, so rate-limit it.