All Products
Search
Document Center

Anti-DDoS:Install the TOA kernel module to obtain the originating IP addresses of requests

Last Updated:Apr 18, 2024

If you use an Elastic Compute Service (ECS) instance or a server in your data center as the origin server and add the port of your service to Anti-DDoS Proxy for protection, traffic of requests for the service is scrubbed by Anti-DDoS Proxy and then forwarded to the origin server. The origin server cannot directly obtain the originating IP addresses of the requests. To obtain the originating IP addresses, you can install the TCP Option Address (TOA) kernel module on the origin server. This topic describes how to install the TOA kernel module.

Scenarios

Scenario

Description

Anti-DDoS Proxy - ECS instance

The origin server is deployed on an ECS instance. Traffic is scrubbed by Anti-DDoS Proxy and forwarded to the origin server that is deployed on the ECS instance.

Anti-DDoS Proxy - Layer 4 Server Load Balancer (SLB) instance - ECS instance

The origin server is deployed on an ECS instance. Traffic is scrubbed by Anti-DDoS Proxy. Then, a Layer 4 SLB instance forwards the traffic to the origin server that is deployed on the ECS instance.

Anti-DDoS Proxy - Server in your data center

The origin server is deployed in your data center. Requests are first scrubbed by Anti-DDoS Proxy and then forwarded to the origin server that is deployed in your data center.

Usage notes

  • The methods that are described in this topic apply only to Linux kernel-based operating systems.

  • The methods can be used only on TCP-based non-website services that are added to Anti-DDoS Proxy by using ports. UDP-based services are not supported. For more information about how to obtain the originating IP addresses of requests from website services, see Obtain the originating IP addresses of requests.

  • Make sure that your server can access the TOA source code download link.

  • If you are a non-root user, you must have the sudo permissions.

  • We recommend that you perform the operations that are described in this topic in a test environment and check whether the operations affect the stability of the environment. If the operations do not affect the stability of the environment, perform the operations in a production environment.

  • If your operating system has a built-in TOA kernel module, we recommend that you back up the module in advance. If a restart failure occurs, you can restore your operating system by switching to the original TOA kernel module.

  • The TOA kernel module is used to convert data in requests and is deployed in bypass mode. The module has minimal impacts on network performance.

  • After the Linux kernel is upgraded, the original TOA kernel module does not match the upgraded Linux kernel. You must recompile and install the TOA kernel module each time you upgrade the Linux kernel.

Method 1: Load the VTOA kernel module by running the modprobe command

This method is suitable only for Alibaba Cloud Linux 3.

  1. Load the VTOA kernel module.

    #modprobe vtoa
  2. Check whether the VTOA module is loaded.

    #lsmod | grep vtoa
  3. Configure the VTOA kernel module to automatically load when the operating system starts.

    1. Create the /etc/sysconfig/modules/vtoa.modules file and add the following content to the file:

      #!/bin/bash
      modprobe vtoa > /dev/null 2>&1
    2. Run the following command to grant execute permissions to the vtoa.modules file:

      sudo chmod +x /etc/sysconfig/modules/vtoa.modules

Method 2: Load the TOA kernel module by using the source code

  1. Access the TOA source code download link to download the source code package.

    • If the kernel version is 2.x, use the toa_kernel2.x file.

    • If the kernel version is 3.x, use the toa_kernel3.x file.

    • If the kernel version is 4.x or 5.x, use the toa_kernel_common file.

  2. Install the compilation environment (gcc, kernel-headers, and kernel-devel).

    • CentOS

      #yum install gcc kernel-headers kernel-devel -y
    • Ubuntu or Debian

      #apt-get install gcc linux-headers-$(uname -r) -y
  3. Compile the TOA kernel module.

    Decompress the source code package, run the cd command to open the folder, and then compile the source code file. If no warning or error messages appear during the compilation process, the compilation is successful. Check whether the toa.ko file is generated in the current directory.

    // The path of the source code package. In this example. the path of the toa_kernel3.x file is used.
    #cd toa_kernel3.x/ 
    // Perform the compilation.
    #make
    Note

    If you want to load the TOA kernel module on another operating system, copy the toa.ko file to another server and perform the following steps to load the TOA kernel module.

  4. Load the TOA kernel module.

    #mv toa.ko /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko && depmod
    #insmod /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko
  5. Check whether the TOA kernel module is loaded.

    # lsmod | grep toa 
  6. Configure the TOA kernel module to automatically load when the operating system starts.

    • CentOS

      1. Create the /etc/sysconfig/modules/toa.modules file and add the following content to the file:

        #!/bin/bash
        if [ -e /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko ] ;
        then
        insmod /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko > /dev/null 2>&1
        fi
      2. Run the following command to grant execute permissions to the toa.modules file:

        sudo chmod +x /etc/sysconfig/modules/toa.modules
    • Ubuntu or Debian

      Create the /etc/modules-load.d/toa.conf file and add the following content to the file:

      toa
  7. Run the sudo reboot command to restart the operating system.

Method 3: Load the TOA kernel module by using RPM Package Manager (RPM)

Supported operating systems:

  • Redhat Linux

  • CentOS 6.x

  • CentOS 7.x

  1. Download the installation file of the TOA kernel module based on the operating system of your server.

  2. Install the TOA kernel module.

    • CentOS 7.x

      Go to the directory of the installation file and run the following command:

      sudo yum localinstall kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm
      Note

      To prevent dependency issues, we recommend that you use the yum localinstall command. You can also use the sudo rpm -ivh kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm command.

    • CentOS 6.x or Red Hat Enterprise Linux

      Go to the directory of the installation file and run the following command:

      sudo rpm -ivh kernel-firmware-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
      sudo rpm -ivh kernel-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
      Note
      • If kernel-firmware runs 2.6.32-696.13.2.el6.centos.plus.toa or later, use only the preceding second command.

      • If dependency issues occur during installation, add the --nodeps parameter to the rpm command.

      • If the kernel version is later than the version of the TOA kernel module, add the --force parameter to the rpm command to forcibly install the kernel.

  3. Configure the TOA kernel module to automatically load when the operating system starts.

    1. Create the /etc/sysconfig/modules/toa.modules file and add the following content to the file:

      • CentOS 7.x:

        #!/bin/bash
        if [ -e /lib/modules/`uname -r`/kernel/net/toa/toa.ko.xz ] ;
        then 
        modprobe toa > /dev/null 2>&1
        fi                            
      • CentOS 6.x or Red Hat Enterprise Linux:

        #!/bin/bash
        if [ -e /lib/modules/`uname -r`/kernel/net/toa/toa.ko ] ;
        then 
        modprobe toa > /dev/null 2>&1
        fi                            
    2. Run the following command to grant execute permissions to the toa.modules file:

      sudo chmod +x /etc/sysconfig/modules/toa.modules
  4. Run the reboot command to restart the operating system.

Results

After the TOA kernel module is installed, the server can obtain the originating IP addresses of requests.

If the server cannot obtain the originating IP addresses of requests, we recommend that you run the lsmod|grep toa command to check whether the TOA kernel module is loaded. If the TOA module is not loaded, run the modprobe toa command to manually load the module. After the TOA kernel module is loaded, you can view server access logs and test whether the origin server can obtain the originating IP addresses of requests.

Reference

  • To temporarily disable the TOA kernel module, run the rmmod path/TOA kernel module name command.

    rmmod toa.ko
  • Uninstall the TOA kernel module.

    rmmod toa
  • Check whether the TOA kernel module is uninstalled. If the "TOA unloaded" message is displayed, the TOA kernel module is uninstalled.

    dmesg -T