DDoS Protection
Overview
Zenlayer provides automatic DDoS mitigation for all Elastic IP (EIP) addresses on Zenlayer Elastic Compute (ZEC) instances. When traffic shows signs of a volumetric attack — a sudden spike in bandwidth, a flood of new connection attempts, or a surge in packet rate — the platform detects and mitigates it in real time. No configuration is required; both layers are enabled by default for all EIPs.
The platform provides two complementary layers of protection:
DDoS Protection sits upstream: it inspects traffic before it reaches your instance, cleans it, and passes only legitimate requests through.
EIP Blocked Rules operate at the network edge on a per-EIP basis — they're available in every region, including regions where DDoS Protection isn't yet deployed, and apply threshold-based blocking as a last line of defense.
This guide explains how those two layers work, how they interact, and how to get the most out of each.
Scope: This guide covers network-layer protection only (Layers 3 and 4).
Protection Pipeline
The following diagram illustrates how inbound traffic flows through the protection pipeline before reaching your cloud instance.
In short: traffic hits DDoS Protection first (where available), which filters and cleans it. Whatever passes through then reaches the EIP Blocked Rules layer, which applies per-EIP threshold checks. Your instance only receives traffic that has cleared both layers.
How They Work Together
If your region has DDoS Protection: Inbound traffic passes through both layers in sequence. DDoS Protection detects anomalous traffic, diverts it to the cleaning center via BGP, and redelivers only clean packets. Those packets then pass through EIP Blocked Rules, which apply per-EIP threshold checks as a second layer. Your instance receives traffic that has cleared both.
If your region does not have DDoS Protection: EIP Blocked Rules are your primary inbound defense. They block traffic that exceeds per-EIP thresholds and protect against outbound anomalies via OutCPS monitoring. Advanced features — traffic cleaning, fingerprint detection, geo-blocking — are not available in these regions.
In both cases: EIP Blocked Rules monitor OutCPS (outbound connections per second) independently. This catches potentially compromised instances initiating outbound attacks, regardless of which inbound protection layer is active.
In This Guide
How DDoS Protection works, regional availability, the cleaning lifecycle
Step-by-step cleaning pipeline, scrubbing architecture, architecture diagram
Threshold-based blocking, inbound vs. outbound protection
BPS, PPS, InCPS, OutCPS explained with attack scenarios
Side-by-side comparison table
Operational guidance for getting the most out of both layers
How to configure DDoS policies, thresholds, and rules
Frequently Asked Questions
How much does it cost? EIP Blocked Rules are included at no additional cost for all EIPs. For DDoS Protection pricing, see the Zenlayer console.
What happens when my EIP is blackholed? All traffic to the EIP is dropped for a default duration of 2 hours. You can manually release it from the management console.
How long does a block last? Blocks expire after 2 hours by default, after which traffic is re-evaluated.
Which regions have DDoS Protection? See the Regional Availability table on the DDoS Protection page. All regions without DDoS Protection are covered by EIP Blocked Rules.
Last updated