Install the TOA kernel module to obtain the originating IP addresses of requests - Anti-DDoS

If you use an Elastic Compute Service (ECS) instance or a server in your data center as the origin server and add the port of your service to Anti-DDoS Pro or Anti-DDoS Premium for protection, traffic of requests for the service is scrubbed by Anti-DDoS Pro or Anti-DDoS Premium and then forwarded to the origin server. The origin server cannot directly obtain the originating IP addresses of the requests. To obtain the originating IP addresses, you can install the TCP Option Address (TOA) kernel module on the origin server. This topic describes how to install the TOA kernel module on a Linux kernel-based operating system.

Scenarios

Scenario	Description
Anti-DDoS Proxy - ECS instance	The origin server is deployed on an ECS instance. Traffic is scrubbed by Anti-DDoS Proxy and forwarded to the origin server that is deployed on the ECS instance.
Anti-DDoS Proxy - Layer 4 Server Load Balancer (SLB) instance - ECS instance	The origin server is deployed on an ECS instance. Traffic is scrubbed by Anti-DDoS Proxy. Then, a Layer 4 SLB instance forwards the traffic to the origin server that is deployed on the ECS instance.
Anti-DDoS Proxy - Server in your data center	The origin server is deployed in your data center. Requests are first scrubbed by Anti-DDoS Proxy and then forwarded to the origin server that is deployed in your data center.

Usage notes

The methods can be used only on TCP-based non-website services that are added to Anti-DDoS Proxy by using ports. UDP-based services are not supported. For more information about how to obtain the originating IP addresses of requests from website services, see Obtain the originating IP addresses of requests.
We recommend that you perform the operations that are described in this topic in a test environment and check whether the operations affect the stability of the environment. If the operations do not affect the stability of the environment, perform the operations in a production environment.
If you are a non-root user, you must have the sudo permissions.

Method 1: Load the VTOA kernel module by running the modprobe command

This method is suitable only for Alibaba Cloud Linux 3.

(Optional) Back up the built-in TOA kernel module of the operating system. If a restart failure occurs, you can restore your operating system by switching to the original kernel.
Load the VTOA kernel module.
```
#modprobe vtoa
```
Check whether the VTOA module is loaded.
```
#lsmod | grep vtoa
```
Configure the VTOA kernel module to automatically load when the operating system starts.
1. Create the /etc/sysconfig/modules/vtoa.modules file and add the following content to the file:
```
#!/bin/bash
modprobe vtoa > /dev/null 2>&1
```
2. Run the following command to grant execute permissions to the vtoa.modules file:
```
sudo chmod +x /etc/sysconfig/modules/vtoa.modules
```

Method 2: Load the TOA kernel module by using the source code

(Optional) Back up the built-in TOA kernel module of the operating system. If a restart failure occurs, you can restore your operating system by switching to the original kernel.
Access the TOA source code download link to download the source code package. Make sure that your server can access the Internet to download this file.
- If the kernel version is 2.x, use the toa_kernel2.x file.
- If the kernel version is 3.x, use the toa_kernel3.x file.
- If the kernel version is 4.x or 5.x, use the toa_kernel_common file.
Install the compilation environment (gcc, kernel-headers, and kernel-devel).
- CentOS
```
#yum install gcc kernel-headers kernel-devel -y
```
- Ubuntu or Debian
```
#apt-get install gcc linux-headers-$(uname -r) -y
```
  Important
  If an error occurs when you run this command on a Debian system, refer to the following operations to install the compilation environment. The following example uses a server running Debian 11.11 64-bit with kernel version 5.10.0-33-amd64.
  1. Access Debian_11.11_5.10.0-33-amd64.zip to download the file.
  2. Run the following commands to install the compilation environment.
    sudo dpkg -i linux-headers-5.10.0-33-common_5.10.226-1_all.deb sudo dpkg -i linux-kbuild-5.10_5.10.237-1_amd64.deb sudo dpkg -i linux-compiler-gcc-10-x86_5.10.237-1_amd64.deb sudo dpkg -i linux-headers-5.10.0-33-amd64_5.10.226-1_amd64.deb
Compile the TOA kernel module.
Decompress the source code package, run the cd command to open the folder, and then compile the source code file. If no warning or error messages appear during the compilation process, the compilation is successful. Check whether the toa.ko file is generated in the current directory.
```
//The path of the source code package. In this example, the path of the toa_kernel3.x file is used.
//If the kernel version is 2.x, #cd toa_kernel2.x/ 
//If the kernel version is 3.x, #cd toa_kernel3.x/ 
//If the kernel version is 4.x or 5.x, #cd toa_kernel_common/
#cd toa_kernel3.x/ 
//Perform the compilation.
#make
```
Note
If you want to load the TOA kernel module on another operating system, copy the toa.ko file to another server and perform the following steps to load the TOA kernel module.

Load the TOA kernel module.

#mv toa.ko /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko && depmod
#insmod /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko

Check whether the TOA kernel module is loaded.
```
# lsmod | grep toa 
```
Configure the TOA kernel module to automatically load when the operating system starts.
- CentOS
  1. Create the /etc/sysconfig/modules/toa.modules file and add the following content to the file:
```
#!/bin/bash
if [ -e /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko ] ;
then
insmod /lib/modules/`uname -r`/kernel/net/netfilter/ipvs/toa.ko > /dev/null 2>&1
fi
```
  2. Run the following command to grant execute permissions to the toa.modules file:
```
sudo chmod +x /etc/sysconfig/modules/toa.modules
```
- Ubuntu or Debian
  Create the /etc/modules-load.d/toa.conf file and add the following content to the file:
```
toa
```
Run the sudo reboot command to restart the operating system.

Method 3: Load the TOA kernel module by using RPM Package Manager (RPM)

Supported operating systems:

Redhat Linux
CentOS 6.x
CentOS 7.x

(Optional) Back up the built-in TOA kernel module of the operating system. If a restart failure occurs, you can restore your operating system by switching to the original kernel.
Download the installation file of the TOA kernel module based on the operating system of your server. Make sure that your server can access the Internet to download this file.
- CentOS 7.x: kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm
- CentOS 6.x or Red Hat Enterprise Linux:
  - kernel-firmware-2.6.32-696.13.2.el6.centos.plus.toa.x86_64
  - kernel-2.6.32-696.13.2.el6.centos.plus.toa.x86_64
Install the TOA kernel module.
- CentOS 7.x
  Go to the directory of the installation file and run the following command:
```
sudo yum localinstall kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm
```
  Note
  To prevent dependency issues, we recommend that you use the yum localinstall command. You can also use the sudo rpm -ivh kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm command.
- CentOS 6.x or Red Hat Enterprise Linux
  Go to the directory of the installation file and run the following command:
```
sudo rpm -ivh kernel-firmware-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
sudo rpm -ivh kernel-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
```
  Note
  If kernel-firmware runs 2.6.32-696.13.2.el6.centos.plus.toa or later, use only the preceding second command.
  If dependency issues occur during installation, add the --nodeps parameter to the rpm command.
  If the kernel version is later than the version of the TOA kernel module, add the --force parameter to the rpm command to forcibly install the kernel.

Configure the TOA kernel module to automatically load when the operating system starts.

Create the /etc/sysconfig/modules/toa.modules file and add the following content to the file:

CentOS 7.x:

#!/bin/bash
if [ -e /lib/modules/`uname -r`/kernel/net/toa/toa.ko.xz ] ;
then 
modprobe toa > /dev/null 2>&1
fi

CentOS 6.x or Red Hat Enterprise Linux:

#!/bin/bash
if [ -e /lib/modules/`uname -r`/kernel/net/toa/toa.ko ] ;
then 
modprobe toa > /dev/null 2>&1
fi

Run the following command to grant execute permissions to the toa.modules file:
```
sudo chmod +x /etc/sysconfig/modules/toa.modules
```

Run the reboot command to restart the operating system.

Results

After the TOA kernel module is installed, the server can obtain the originating IP addresses of requests.

If the server cannot obtain the originating IP addresses of requests, we recommend that you run the lsmod|grep toa command to check whether the TOA kernel module is loaded. If the TOA module is not loaded, run the modprobe toa command to manually load the module. After the TOA kernel module is loaded, you can view server access logs and test whether the origin server can obtain the originating IP addresses of requests.

Related operations

To temporarily disable the TOA kernel module, run the rmmod path/module name command.
```
rmmod toa.ko
```
Uninstall the TOA kernel module.
```
rmmod toa
```
Check whether the TOA kernel module is uninstalled. If the "TOA unloaded" message is displayed, the TOA kernel module is uninstalled.
```
dmesg -T
```

FAQ

How does the TOA kernel module affect network performance when it converts network connections?

The TOA kernel module is deployed in bypass mode. Therefore, it has minimal impacts on network performance.

Why can't I obtain the originating IP addresses after the Linux kernel is upgraded?

After the Linux kernel is upgraded, the original TOA kernel module does not match the upgraded Linux kernel. You must recompile and install the TOA kernel module each time you upgrade the Linux kernel.