# DDoS Protection Overview

DDoS Protection is a multi-layer defense system that detects and mitigates distributed denial-of-service attacks in real time. It is deployed in select regions where dedicated mitigation infrastructure is available.

## Key Capabilities

* **Traffic cleaning:** Diverts suspicious traffic to a scrubbing center via BGP, filters it, and redelivers clean packets to your instance — without interrupting legitimate traffic.
* **Protocol filtering:** Validates traffic at the protocol level (TCP, UDP, ICMP) and drops malformed or suspicious packets before they reach your instance.
* **Fingerprint detection:** Matches traffic against known attack signatures — specific payload patterns, port ranges, and packet sizes — to block attacks that evade simple rate limits.
* **Geographic filtering:** Block inbound traffic by country. Useful for services that don't operate in certain regions and want to reduce exposure without managing individual IPs.
* **IP allow/block lists:** Explicitly permit or deny traffic from specific source addresses. Useful for protecting APIs that only serve known partners.
* **Blackhole routing:** Under extreme volumetric attacks that exceed cleaning capacity, all traffic to the affected EIP is blackholed as a last resort to protect the broader infrastructure.

> For step-by-step instructions on configuring these capabilities, see the [DDoS Protection Configuration Guide](https://docs.console.zenlayer.com/welcome/elastic-compute/01-overview/09-configuration-guide).

## Regional Availability

DDoS Protection is currently available in the following regions. In regions where it isn't deployed, EIP Blocked Rules provide threshold-based protection for all EIPs.

| Availability Zone | Location         | DDoS Protection |
| ----------------- | ---------------- | --------------- |
| asia-southeast-5a | Hanoi            | Available       |
| asia-southwest-1a | Singapore        | Available       |
| asia-southeast-2a | Jakarta          | Available       |
| sa-south-1a       | Santiago         | Available       |
| asia-southeast-4a | Ho Chi Minh City | Available       |
| asia-southeast-1a | Hong Kong        | Coming soon     |
| asia-southeast-3a | Kuala Lumpur     | Coming soon     |
| asia-southeast-6a | Manila           | Coming soon     |
| na-central-2a     | Dallas           | Coming soon     |
| na-east-1a        | Washington, D.C. | Coming soon     |
| na-south-1a       | Miami            | Coming soon     |
| na-west-1a        | Los Angeles      | Coming soon     |
| sa-east-1a        | São Paulo        | Coming soon     |
| sa-north-1a       | Bogota           | Coming soon     |
| sa-south-2a       | Buenos Aires     | Coming soon     |
| sa-west-1a        | Lima             | Coming soon     |
| europe-central-1a | Frankfurt        | Coming soon     |
| europe-east-1a    | Istanbul         | Coming soon     |
| europe-south-1a   | Marseille        | Coming soon     |
| me-central-1a     | Riyadh           | Coming soon     |

*This list is updated as new regions come online.*

## How Cleaning Is Triggered

When the analysis system determines that an EIP is under attack, traffic is automatically rerouted to a cleaning center, scrubbed, and redelivered to your instance. The entire process completes within seconds and requires no action on your part.

For a detailed walkthrough of the cleaning pipeline — including detection, BGP diversion, scrubbing stages, and re-injection — see [How Traffic Cleaning Works](https://docs.console.zenlayer.com/welcome/elastic-compute/01-overview/03-cleaning-deep-dive).

## Cleaning Event Lifecycle

Each cleaning event goes through a defined set of states. Understanding this lifecycle helps you interpret notifications and plan your response:

| State             | Description                                                             | What Happens Next                                                                  |
| ----------------- | ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| **Cleaning**      | Attack detected; traffic diverted to cleaning center.                   | If attack subsides → End Cleaning. If it exceeds cleaning capacity → Blackhole.    |
| **End Cleaning**  | Attack mitigated; traffic returns to normal path.                       | Normal operation resumes. No action needed.                                        |
| **Blackhole**     | Attack exceeds cleaning capacity. All traffic to the EIP is blackholed. | Auto-expires after block duration (default: 2 hours), or can be manually released. |
| **End Blackhole** | Blackhole released. Traffic restored.                                   | Normal operation resumes.                                                          |

*To manually release a blackhole before it expires, use the DDoS Protection page in the* [*management console*](https://console.zenlayer.com/zec/ddos/policy)*.*

**Notifications:** Event notifications are delivered via email and the management console. To configure notification preferences or add additional recipients, see the [Notification Settings](https://console.zenlayer.com/notification/) page in the console.

## Relationship to EIP Blocked Rules

If your region has DDoS Protection, you get everything EIP Blocked Rules offers — threshold-based blocking — plus traffic cleaning, fingerprint detection, protocol filtering, and geo-blocking. EIP Blocked Rules are always active as a second layer, even when DDoS Protection is running.