Help Center/ Anti-DDoS Service/ Best Practices/ Best Practices of Advanced Anti-DDoS/ Obtaining the Source IP Address of a Client
Updated on 2024-09-29 GMT+08:00
View PDF
Share

Obtaining the Source IP Address of a Client

After a service is connected to AAD, the actual source IP address of the traffic forwarded by AAD is concealed once the traffic reaches the server. The source IP address of the customer's service origin server becomes the back-to-origin IP address of AAD. The true source IP address can be retrieved from the tcp option field in the TCP packet, allowing the real IPv6 access source to be identified.

During service application development, it is necessary to obtain the client's real IP address. Taking the voting system as an example, the real IP addresses of clients used for casting votes needs to be obtained to ensure that each client casts only one vote.

This topic describes how to use the TOA module provided by AAD to obtain the real source IP address.

Constraints

If the origin server runs one of the following Linux OSs, you can use the TOA module provided by AAD to obtain the real source IP address of the traffic forwarded by AAD.
  • CentOS 6.5 (corresponding to the Linux kernel version 2.6.X)
  • CentOS 7 (corresponding to the Linux kernel version 3.10.X)
  • toa_common (TOA of common version, which is applicable to OSs whose Linux kernel version is 3.0 or later, such as Ubuntu 14/16 and SUSE 11/42)
  • toa_linux-2.6.32-220.23.1.el6.x86_64.rs (corresponding to linux-2.6.32-220.23.1.el6.x86_64.rs)
  • In the "AAD+web origin server" scenario, if basic web protection is disabled on AAD, you need to install TOA on the origin server to obtain the real source IP address.
  • If basic web protection is enabled for AAD or Huawei Cloud WAF is configured as the origin server, you do not need to install TOA to obtain the real source IP address. You can obtain the real source IP address from the Layer 7 request headers such as xff and x-real. Only the real IPv4 access source can be obtained.
  • If the origin server runs other operating systems (such as Ubuntu and SUSE), follow the instructions described in Configuring the TOA Plug-in to customize and install the TOA plug-in to obtain the real source IP address.

Application Scenarios

The AAD TOA plug-in is installed to obtain the real source IP address over the layer-4 protocol (TCP). IIn the "AAD+WAF" scenario, obtain the Layer 7 (HTTP) real source IP address by referring to Obtaining the Real Client IP Addresses.

Mechanism

Generally, AAD changes the source IP address and destination IP address of the traffic passing through (respectively from the client's source IP address into the high-defense IP address and from the back-to-origin IP address into the origin server IP address). The source IP address visible to the user on the origin server is the back-to-origin IP address.

Figure 1 Mechanism
  • The high-defense IP address is provided by HUAWEI CLOUD to replace the IP address of the origin server to ensure its stability and reliability.
  • From the perspective of an origin server, all traffic originates from the back-to-origin IP address.
  • The origin server IP address is the public IP address used to provide services.

Procedure

  1. Compile and install the TOA module by referring to the open-source code of TOA.

    When the kernel module is mounted, you can obtain the real source IP address easily without modifying the existing server processes or interrupting existing services.

  2. Verify the module.

    You can obtain the real source IP address by referring to Configuring the TOA Plug-in or the following example code.

    >>print(newServerSocket.getpeername())
>>"('cip',cport)"