# Feature Comparison

The table below covers the primary differences between DDoS Protection and EIP Blocked Rules. For a full list of configurable options within each layer, see the [DDoS Protection Configuration Guide](https://docs.console.zenlayer.com/welcome/elastic-compute/01-overview/09-configuration-guide).

| Feature                   | DDoS Protection                                | EIP Blocked Rules                         |
| ------------------------- | ---------------------------------------------- | ----------------------------------------- |
| **Availability**          | Select regions                                 | All regions                               |
| **Pipeline Position**     | First layer (upstream)                         | Second layer (downstream)                 |
| **Monitored Metrics**     | BPS, PPS, InCPS                                | BPS, PPS, InCPS, OutCPS                   |
| **Attack Mitigation**     | Traffic cleaning via BGP diversion + scrubbing | Threshold-based blackhole / NIC blocking  |
| **Traffic Cleaning**      | Yes — separates legitimate from attack traffic | No — block/allow only                     |
| **Fingerprint Detection** | Yes — payload-pattern matching                 | No                                        |
| **Protocol Filtering**    | Yes — TCP, UDP, ICMP analysis                  | No                                        |
| **Geo-blocking**          | Yes — country-level filtering                  | No                                        |
| **IP Allow/Block Lists**  | Yes                                            | No                                        |
| **Blackhole Routing**     | Yes (escalation from cleaning)                 | Yes (primary action)                      |
| **Outbound Protection**   | No                                             | Yes — NIC-level blocking on OutCPS breach |
| **Custom Thresholds**     | Yes — per-policy configuration                 | Yes — per-EIP configuration               |