All Products
Search

This Product

    Anti-DDoS:Install the TOA kernel module to obtain the originating IP addresses of requests

    Document Center

    Anti-DDoS:Install the TOA kernel module to obtain the originating IP addresses of requests

    Last Updated:Mar 31, 2026

    When you add a TCP service to Anti-DDoS Pro or Anti-DDoS Premium for protection, Anti-DDoS Proxy scrubs incoming traffic and forwards it to your origin server. Because the proxy sits between the client and your server, the origin server sees the proxy's IP address instead of the real client IP. To restore visibility into originating IP addresses, install the TCP Option Address (TOA) kernel module on your origin server.

    This topic covers Linux-based origin servers. Three installation methods are available — choose the one that matches your operating system.

    Prerequisites

    Before you begin, make sure you have:

    • An origin server running a supported Linux distribution

    • A TCP-based non-website service added to Anti-DDoS Proxy using ports (UDP-based services are not supported)

    • Internet access on the origin server to download installation packages

    • sudo permissions if you are not the root user

    For website services, see Obtain the originating IP addresses of requests.

    Supported scenarios

    ScenarioDescription
    Anti-DDoS Proxy - ECS instanceThe origin server is deployed on an Elastic Compute Service (ECS) instance. Traffic is scrubbed by Anti-DDoS Proxy and forwarded to the ECS instance.
    Anti-DDoS Proxy - Layer 4 Server Load Balancer (SLB) instance - ECS instanceThe origin server is deployed on an ECS instance. Traffic is scrubbed by Anti-DDoS Proxy, then a Layer 4 SLB instance forwards the traffic to the ECS instance.
    Anti-DDoS Proxy - Server in your data centerThe origin server is deployed in your data center. Traffic is scrubbed by Anti-DDoS Proxy and forwarded to the data center server.

    Choose an installation method

    Test the installation in a non-production environment first. If the environment remains stable, proceed in production.

    MethodSupported operating systemsWhen to use
    Method 1: Load the VTOA module via modprobeAlibaba Cloud Linux 3 onlySimplest method; no compilation required
    Method 2: Compile from source codeCentOS, Ubuntu, Debian, and other Linux distributionsUse when Method 1 or Method 3 does not apply
    Method 3: Install via RPM Package Manager (RPM)Red Hat Linux, CentOS 6.x, CentOS 7.xPreferred for RPM-based distributions

    Method 1: Load the VTOA kernel module via modprobe

    This method applies only to Alibaba Cloud Linux 3.

    1. (Optional) Back up the built-in TOA kernel module. If a restart failure occurs, you can restore your operating system by switching back to the original kernel.

    2. Load the VTOA kernel module.

      modprobe vtoa

    3. Verify that the VTOA module is loaded.

      lsmod | grep vtoa

    4. Configure the VTOA module to load automatically on startup.

      1. Create /etc/sysconfig/modules/vtoa.modules with the following content: ``bash #!/bin/bash modprobe vtoa > /dev/null 2>&1 ``

      2. Grant execute permissions to the file. ``bash sudo chmod +x /etc/sysconfig/modules/vtoa.modules ``

    Method 2: Compile and load the TOA kernel module from source code

    This method works on most Linux distributions, including CentOS, Ubuntu, and Debian.

    1. (Optional) Back up the built-in TOA kernel module. If a restart failure occurs, you can restore your operating system by switching back to the original kernel.

    2. Download the TOA source code package. Your server must have internet access to download this file. Select the source file based on your kernel version:

      Kernel versionSource file
      2.xtoa_kernel2.x
      3.xtoa_kernel3.x
      4.x or 5.xtoa_kernel_common

    3. Install the compilation environment (gcc, kernel-headers, and kernel-devel).

      • CentOS: ``bash yum install gcc kernel-headers kernel-devel -y ``

      • Ubuntu or Debian: ``bash apt-get install gcc linux-headers-$(uname -r) -y ``

      Important

      If the above command fails on Debian, download the prebuilt headers manually. The following example uses Debian 11.11 64-bit with kernel version 5.10.0-33-amd64.

      1. Download Debian_11.11_5.10.0-33-amd64.zip.

      2. Install the packages in order:

        sudo dpkg -i linux-headers-5.10.0-33-common_5.10.226-1_all.deb
sudo dpkg -i linux-kbuild-5.10_5.10.237-1_amd64.deb
sudo dpkg -i linux-compiler-gcc-10-x86_5.10.237-1_amd64.deb
sudo dpkg -i linux-headers-5.10.0-33-amd64_5.10.226-1_amd64.deb

    4. Compile the TOA kernel module. Decompress the source code package, navigate to the correct folder, and run make. If no warnings or errors appear, the compilation is successful. Confirm that toa.ko is present in the current directory.

      To load the TOA kernel module on a different server, copy the toa.ko file to that server and follow the remaining steps there.
      # Navigate to the folder that matches your kernel version:
# Kernel 2.x: cd toa_kernel2.x/
# Kernel 3.x: cd toa_kernel3.x/
# Kernel 4.x or 5.x: cd toa_kernel_common/
cd toa_kernel3.x/
make

    5. Load the TOA kernel module.

      mv toa.ko /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko && depmod
insmod /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko

    6. Verify that the TOA module is loaded.

      lsmod | grep toa

    7. Configure the TOA module to load automatically on startup.

      • CentOS:

        1. Create /etc/sysconfig/modules/toa.modules with the following content: ``bash #!/bin/bash if [ -e /lib/modules/uname -r/kernel/net/netfilter/ipvs/toa.ko ] ; then insmod /lib/modules/uname -r/kernel/net/netfilter/ipvs/toa.ko > /dev/null 2>&1 fi ``

        2. Grant execute permissions to the file. ``bash sudo chmod +x /etc/sysconfig/modules/toa.modules ``

      • Ubuntu or Debian: Create /etc/modules-load.d/toa.conf with the following content: `` toa ``

    8. Restart the operating system.

      sudo reboot

    Method 3: Install the TOA kernel module via RPM

    Supported operating systems:

    • Red Hat Linux

    • CentOS 6.x

    • CentOS 7.x

    1. (Optional) Back up the built-in TOA kernel module. If a restart failure occurs, you can restore your operating system by switching back to the original kernel.

    2. Download the installation file for your operating system. Your server must have internet access to download this file.

    3. Install the TOA kernel module.

      • CentOS 7.x — navigate to the directory containing the downloaded file and run:

        sudo yum localinstall kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm
        Note

        Note: Use yum localinstall to avoid dependency issues. Alternatively, run sudo rpm -ivh kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm.

      • CentOS 6.x or Red Hat Enterprise Linux — navigate to the directory containing the downloaded files and run:

        sudo rpm -ivh kernel-firmware-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
sudo rpm -ivh kernel-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
        Note

        Note:

        • If kernel-firmware is already at version 2.6.32-696.13.2.el6.centos.plus.toa or later, run only the second command.

        • If dependency errors occur, add --nodeps to the rpm command.

        • If the installed kernel version is later than the TOA module version, add --force to install anyway.

    4. Configure the TOA module to load automatically on startup.

      1. Create /etc/sysconfig/modules/toa.modules with the content for your OS version:

        • CentOS 7.x: ``bash #!/bin/bash if [ -e /lib/modules/uname -r/kernel/net/toa/toa.ko.xz ] ; then modprobe toa > /dev/null 2>&1 fi ``

        • CentOS 6.x or Red Hat Enterprise Linux: ``bash #!/bin/bash if [ -e /lib/modules/uname -r/kernel/net/toa/toa.ko ] ; then modprobe toa > /dev/null 2>&1 fi ``

      2. Grant execute permissions to the file. ``bash sudo chmod +x /etc/sysconfig/modules/toa.modules ``

    5. Restart the operating system.

      reboot

    Results

    After the TOA kernel module is installed, the server can obtain the originating IP addresses of requests.

    If the server cannot obtain the originating IP addresses of requests, run the following command to check whether the TOA kernel module is loaded.

    lsmod | grep toa

    If the TOA module is not loaded, run the following command to manually load it.

    modprobe toa

    After the TOA kernel module is loaded, review your server access logs to confirm that the origin server can obtain the originating IP addresses of requests.

    Manage the TOA kernel module

    • Temporarily disable the TOA kernel module:

      rmmod toa.ko

    • Uninstall the TOA kernel module:

      rmmod toa

    • Verify that the TOA kernel module is uninstalled. The dmesg output includes "TOA unloaded" if the module was removed successfully.

      dmesg -T

    FAQ

    How does the TOA kernel module affect network performance?

    The TOA module runs in bypass mode, so it has minimal impact on network performance.

    Why can't I get originating IP addresses after upgrading the Linux kernel?

    After a kernel upgrade, the existing TOA module no longer matches the new kernel. Recompile and reinstall the TOA module each time you upgrade the Linux kernel.

    What's next

    Obtain the originating IP addresses of requests — for website services protected by Anti-DDoS Pro or Anti-DDoS Premium