# Best Practices

## Deploy in DDoS-protected regions when possible

For workloads sensitive to DDoS attacks, choose regions with DDoS Protection. The BGP diversion and scrubbing pipeline provides significantly stronger defense than threshold-based blocking alone. See [Regional Availability](https://docs.console.zenlayer.com/welcome/elastic-compute/02-ddos-protection#regional-availability) for the current list.

## Validate thresholds before you need them

Default thresholds are calibrated for general workloads — not tuned for yours. If your application routinely runs near those limits (a media server with sustained high BPS, a game server with high PPS), you're one traffic spike away from a false-positive block. Review your peak traffic metrics against your current thresholds and adjust proactively. Navigate to the [Elastic IPv4](https://console.zenlayer.com/zec/elastic-ip) page, click the **⋯** menu in the Actions column, and select **Change Block Threshold**.

## Take OutCPS blocks seriously

An OutCPS-triggered block usually means an instance is initiating outbound connections at an abnormal rate — a common sign of compromise. When you see one, check the instance for unusual processes or connections before re-enabling internet access.

## Use DDoS Protection policies for proactive defense

Leverage fingerprint rules, geo-blocking, and IP allow/block lists to proactively reduce your attack surface rather than relying solely on reactive threshold-based blocking. See the [Configuration Guide](https://docs.console.zenlayer.com/welcome/elastic-compute/01-overview/09-configuration-guide) for setup instructions.

## Design for block resilience

Blocks last 2 hours by default. If uptime is critical, don't rely on a single EIP per service — use multiple EIPs with load balancing so that a block on one doesn't take down the service entirely.

## Understand the cleaning lifecycle

Cleaning events progress through defined states (Cleaning → End Cleaning, or Cleaning → Blackhole → End Blackhole). If you see frequent escalations to blackhole, review and optimize your DDoS policies in the [management console](https://console.zenlayer.com/zec/ddos/policy). See [Cleaning Event Lifecycle](https://docs.console.zenlayer.com/welcome/elastic-compute/02-ddos-protection#cleaning-event-lifecycle) for details.

***

## Troubleshooting

**My EIP is blocked and I can't reach my instance** Your EIP was likely blackholed due to a threshold breach. Go to the [DDoS Protection events page](https://console.zenlayer.com/zec/ddos/attack) to check status and manually release the blackhole.

**I'm getting blocked during normal traffic spikes** Your thresholds may be too low for your workload. Navigate to the [Elastic IPv4](https://console.zenlayer.com/zec/elastic-ip) page, click the **⋯** menu on the affected EIP, and select **Change Block Threshold**.

**My instance is sending outbound traffic I didn't initiate** An OutCPS block means your instance may be compromised. Investigate running processes and connections before re-enabling internet access.