Help Center/ Cloud Firewall/ FAQs/ Network Traffic/ How Do I Obtain the Real IP Address of an Attacker?
Updated on 2024-07-31 GMT+08:00
View PDF
Share

How Do I Obtain the Real IP Address of an Attacker?

After traffic passes through the reverse proxy, the source IP address is translated into the back-to-origin IP address. In this case, if an external attack occurs, CFW cannot obtain the real IP address of the attacker. You can obtain the real IP address based on the X-Forwarded-For field.

Viewing X-Forwarded-For

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Log Audit > Log Query. Click Attack Event Logs tab. In the Operation column of the target event, click View.

    Figure 1 Viewing Attack Event Log Details

  6. In the Details page, click the Attack Payload tab, and obtain the value of X-Forwarded-For field.

    • Method 1: Check X-Forwarded-For (all IP addresses from the client to the last proxy server) in the Payload Content area.
      Figure 2 X-Forwarded-For in the payload
    • Method 2: Copy the Payload Content and use the Base64 tool to obtain the decoding result.
      • X-Forwarded-For: all IP addresses from the client to the last proxy server

      For example, the client IP address obtained in Example of the Base64 decoding result is xx.xx.xx.89, and only cloud WAF is used.

      Figure 3 Example of the Base64 decoding result

Parent topic: Network Traffic