After you add a service to Anti-DDoS Pro or Anti-DDoS Premium, Anti-DDoS Pro or Anti-DDoS Premium scrubs the traffic destined for the service and then forwards the traffic to the origin server. The source IP addresses of the requests are changed to the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. This topic describes how to obtain the actual source IP addresses of requests.

Non-website service provided by using a port

Notice
  • If your origin server is an Elastic Compute Service (ECS) instance that was created after October 2018, the source IP addresses that you obtain on the origin server are the actual source IP addresses of requests.
  • If your origin server is an ECS instance that was created before October 2018, you cannot directly obtain the actual source IP addresses of requests. You need to submit a ticket to contact technical support.

For example, after you add a non-website service at Layer 4 to Anti-DDoS Pro or Anti-DDoS Premium, Anti-DDoS Pro or Anti-DDoS Premium connects to the origin server by using a three-way handshake process. Anti-DDoS Pro or Anti-DDoS Premium sends the last ACK packet that contains the information, such as the source port number and IP address, in the TCP Option field. The size of the information is 6 bytes. The following figure shows the information in the ACK packet.

TCP Option

The value of Magic Number indicates the source port number, which is a hexadecimal string. In this example, the source port number is c4 06. You can also obtain the source IP address, which is indicated by the next 4 bytes following the source port number. In this example, the source IP address is 65 ** ** 85. Then, you can convert c4 06 and 65 ** ** 85 to decimal values to obtain the actual source port number and IP address. In this example, the actual source port number is 50182 and the actual source IP address is 101.***.***.133.

The methods that are used to obtain the actual source IP addresses of requests vary based on the network architecture of your services. For more information, see the following table.

Network architecture Description
Anti-DDoS Pro or Anti-DDoS Premium+ECS instance
  • If service requests are forwarded by using a TCP port, the origin server can obtain the actual source IP addresses. You do not need to perform additional operations.

    You can configure security group rules for the ECS instance based on the source IP addresses of requests and the back-to-origin IP addresses of your Anti-DDoS Pro or Anti-DDoS Premium instance. For example, you can allow or deny inbound traffic from a specific IP address.

  • If service requests are forwarded by using a UDP port, the origin server cannot obtain the actual source IP addresses.
Anti-DDoS Pro or Anti-DDoS Premium+Server Load Balancer (SLB) instance+ECS instance
  • If service requests are forwarded by using a TCP port, the origin server can obtain the actual source IP addresses. You do not need to perform additional operations.
    Note You must add the back-to-origin IP addresses of your Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of the SLB instance. For more information, see Allow back-to-origin IP addresses to access the origin server and Enable access control.
  • If service requests are forwarded by using a UDP port, the origin server cannot obtain the actual source IP addresses.
Note If the private IP address of the ECS instance is modified or the ownership of the ECS instance is transferred to you by another user, the origin server cannot obtain the actual source IP addresses. In this case, submit a ticket to contact technical support.
Anti-DDoS Pro or Anti-DDoS Premium+Server that is not deployed on Alibaba Cloud In some cases, the origin server can obtain the actual source IP addresses. For more information, see Obtain the actual source IP addresses of requests to an origin server that is not deployed on Alibaba Cloud.

Website service provided by using a domain name

By default, if service requests are forwarded to the origin server by a Layer 7 proxy server, such as an Anti-DDoS Pro or Anti-DDoS Premium instance, the source IP addresses obtained by the origin server are the back-to-origin IP addresses of the proxy server. The actual source IP addresses are recorded in the X-Forwarded-For field. The format is X-Forwarded-For:Actual source IP address,Back-to-origin IP addresses of the Anti-DDoS Pro or Anti-DDoS Premium instance.

If the requests pass through more than one proxy server, such as Web Application Firewall (WAF) and Alibaba Cloud CDN (CDN) instances, the X-Forwarded-For field in the HTTP request header records the actual source IP addresses and the IP addresses of all proxy servers. The format is X-Forwarded-For:Actual source IP address,IP address of Proxy Server 1,IP address of Proxy Server 2,IP address of Proxy Server 3,...

A common web application server can use the X-Forwarded-For field to obtain the actual source IP addresses of requests.

You can use the following methods to obtain the X-Forwarded-For field in different programming languages:
  • ASP
    Request.ServerVariables("HTTP_X_FORWARDED_FOR")
  • ASP.NET (C#)
    Request.ServerVariables["HTTP_X_FORWARDED_FOR"]
  • PHP
    `$_SERVER["HTTP_X_FORWARDED_FOR"]
  • JSP
    request.getHeader("HTTP_X_FORWARDED_FOR")

In the X-Forwarded-For field, the IP address before the first comma (,) is the actual source IP address of a request.

Note For more information about how to configure common web servers to obtain the actual source IP addresses, see Retrieve actual IP addresses of clients. Common web servers include NGINX, IIS 6, IIS 7, Apache, and Tomcat,