All Products
Search
Document Center

Anti-DDoS:Obtain the originating IP addresses of requests

Last Updated:Apr 19, 2024

After you add a website service to Anti-DDoS Proxy, Anti-DDoS Proxy scrubs the traffic that is destined for the service and then forwards the traffic to the origin server. The origin server can obtain the originating IP addresses of requests from the X-Forwarded-For header or by installing the TCP Option Address (TOA) kernel module. This topic describes how to obtain the originating IP addresses of requests.

Non-website service provided by using a port

  • Anti-DDoS Proxy instance that uses an IPv4 address: In some scenarios, you can install the TOA kernel module to obtain the originating IP addresses of requests. For more information, see Install the TOA kernel module to obtain the originating IP addresses of requests. If the TOA kernel module cannot be installed, contact technical support.

    How to use the TCP OPTION field: After you add a non-website service at Layer 4 to Anti-DDoS Proxy, Anti-DDoS Proxy connects to the origin server by using a three-way handshake process. Anti-DDoS Proxy sends the last ACK packet that contains the information, such as the originating port number and IP address, in the TCP OPTION field. The size of the information is 8 bytes. The following figure shows the information in the ACK packet. TCP OptionThe value of Magic Number indicates the originating port number, which is a hexadecimal string. In this example, the originating port number is c4 06. You can also obtain the originating IP address, which is indicated by the next 4 bytes following the originating port number. In this example, the originating IP address is 65 ** ** 85. Then, you can convert c4 06 and 65 ** ** 85 to decimal values to obtain the originating port number and IP address. In this example, the originating port number is 50182 and the originating IP address is 101.***.***.133.

  • Anti-DDoS Proxy instance that uses an IPv6 address: You cannot obtain the originating IP addresses of requests.

Important

To prevent the traffic from the back-to-origin CIDR blocks of your Anti-DDoS Proxy instance from being blocked, we recommend that you add the back-to-origin CIDR blocks of the instance to the whitelist of the origin server. For more information about how to query back-to-origin CIDR blocks of an Anti-DDoS Proxy instance, see Allow back-to-origin CIDR blocks to access the origin server.

  • If your origin server is an Elastic Compute Service (ECS) instance, add the back-to-origin CIDR blocks of your Anti-DDoS Proxy instance to the security group of the ECS instance. For more information, see Add a security group rule.

  • If your origin server is an ECS instance that is deployed after a Server Load Balancer (SLB) instance, add the back-to-origin CIDR blocks of your Anti-DDoS Proxy instance to the whitelist of the SLB instance. For more information, see Enable access control.

Website service provided by using a domain name

If service requests are forwarded to the origin server by a Layer 7 proxy server, such as an Anti-DDoS Proxy instance, the originating IP addresses obtained by the origin server are the back-to-origin IP addresses of the Anti-DDoS Proxy instance. The originating IP addresses are recorded in the X-Forwarded-For header. The format is X-Forwarded-For: Originating IP address, Back-to-origin IP address of Anti-DDoS Proxy.

If the requests pass through more than one proxy server, the X-Forwarded-For header records the originating IP addresses and the IP addresses of all proxy servers. The format is X-Forwarded-For: Originating IP address, IP address of Proxy server 1, IP address of Proxy server 2, IP address of Proxy server 3, .... The proxy server can be a Web Application Firewall (WAF) instance or an Alibaba Cloud CDN (CDN) instance.

A common web application server can use the X-Forwarded-For header to obtain the originating IP addresses of requests.

You can use the following methods to obtain the value of the X-Forwarded-For header in different programming languages:

  • ASP

    Request.ServerVariables("HTTP_X_FORWARDED_FOR")
  • ASP.NET (C#)

    Request.ServerVariables["HTTP_X_FORWARDED_FOR"]
  • PHP

    `$_SERVER["HTTP_X_FORWARDED_FOR"]
  • JSP

    request.getHeader("HTTP_X_FORWARDED_FOR")

In the X-Forwarded-For header, the IP address before the first comma (,) is the originating IP address of a request.

Note

You can also configure common web servers, such as NGINX, IIS 6, IIS 7, Apache, and Tomcat, to obtain the originating IP addresses. For more information, see Retrieve the originating IP addresses of clients.