diff --git a/deploy/files/etc/sysctl.d/99-left4me.conf b/deploy/files/etc/sysctl.d/99-left4me.conf
index 9212bbb..0860833 100644
--- a/deploy/files/etc/sysctl.d/99-left4me.conf
+++ b/deploy/files/etc/sysctl.d/99-left4me.conf
@@ -19,3 +19,18 @@ net.core.netdev_budget = 600
 # Latency-sensitive default: avoid swap unless the box is really under
 # pressure. Harmless on swapless hosts.
 vm.swappiness = 10
+
+# Per-socket UDP buffer floors: protect game-server sockets that don't bump
+# their own SO_RCVBUF/SO_SNDBUF when softirq drains lag briefly.
+net.ipv4.udp_rmem_min = 16384
+net.ipv4.udp_wmem_min = 16384
+
+# Default qdisc for ifaces we don't explicitly shape with CAKE. Debian Trixie
+# already defaults to fq_codel; setting it explicitly is belt-and-suspenders
+# and survives kernel-default churn.
+net.core.default_qdisc = fq_codel
+
+# TCP congestion control: BBR for any bulk TCP egress on the host (admin SSH,
+# backups, package fetches, web-app responses) so a long flow does not push
+# the bottleneck queue ahead of game UDP. UDP srcds is unaffected.
+net.ipv4.tcp_congestion_control = bbr
diff --git a/deploy/tests/test_deploy_artifacts.py b/deploy/tests/test_deploy_artifacts.py
index c8c2928..d9c406d 100644
--- a/deploy/tests/test_deploy_artifacts.py
+++ b/deploy/tests/test_deploy_artifacts.py
@@ -207,6 +207,10 @@ def test_sysctl_conf_present_with_perf_settings():
         "net.core.netdev_max_backlog = 5000",
         "net.core.netdev_budget = 600",
         "vm.swappiness = 10",
+        "net.ipv4.udp_rmem_min = 16384",
+        "net.ipv4.udp_wmem_min = 16384",
+        "net.core.default_qdisc = fq_codel",
+        "net.ipv4.tcp_congestion_control = bbr",
     ):
         assert line in text, f"missing {line!r} in 99-left4me.conf"