Obtain the originating IP addresses of requests - Anti-DDoS

After you add a service to Anti-DDoS Pro or Anti-DDoS Premium, Anti-DDoS Pro or Anti-DDoS Premium scrubs the traffic that is destined for the service and then forwards the traffic to the origin server. The originating IP addresses of the requests are changed to the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. This topic describes how to obtain the originating IP addresses of requests.

Non-website service provided by using a port

Important

If your instance uses IPv6 address, you cannot obtain the originating IP addresses of requests.
If your origin server is an Elastic Compute Service (ECS) instance that was created after October 2018, the originating IP addresses are automatically obtained. In this case, the originating IP addresses that you obtain on the origin server are the originating IP addresses of requests.
If your origin server is an ECS instance that was created before October 2018, the originating IP addresses cannot be automatically obtained.

For example, after you add a non-website service at Layer 4 to Anti-DDoS Pro or Anti-DDoS Premium, Anti-DDoS Pro or Anti-DDoS Premium connects to the origin server by using a three-way handshake process. Anti-DDoS Pro or Anti-DDoS Premium sends the last ACK packet that contains the information, such as the originating port number and IP address, in the TCP Option field. The size of the information is 6 bytes. The following figure shows the information in the ACK packet.

The value of Magic Number indicates the originating port number, which is a hexadecimal string. In this example, the originating port number is c4 06. You can also obtain the originating IP address, which is indicated by the next 4 bytes following the originating port number. In this example, the originating IP address is 65 ** ** 85. Then, you can convert c4 06 and 65 ** ** 85 to decimal values to obtain the originating port number and IP address. In this example, the originating port number is 50182 and the originating IP address is 101.***.***.133.

The methods that are used to obtain the originating IP addresses of requests vary based on the network architecture of your services. For more information, see the following table.


Network architecture	Description
Anti-DDoS Pro or Anti-DDoS Premium + Elastic Compute Service (ECS) instance	If service requests are forwarded by using a TCP port, the origin server can obtain the originating IP addresses. You do not need to perform additional operations. You can configure security group rules for the ECS instance based on the originating IP addresses of requests and the back-to-origin IP addresses of your Anti-DDoS Pro or Anti-DDoS Premium instance. For example, you can allow or deny inbound traffic from a specific IP address. If service requests are forwarded by using a UDP port, the origin server cannot obtain the originating IP addresses.
Anti-DDoS Pro or Anti-DDoS Premium + Server Load Balancer (SLB) instance + ECS instance	If service requests are forwarded by using a TCP port, the origin server can obtain the originating IP addresses. You do not need to perform additional operations. Note You must add the back-to-origin IP addresses of your Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of the SLB instance. For more information, see Allow back-to-origin IP addresses to access the origin server and Enable access control. If service requests are forwarded by using a UDP port, the origin server cannot obtain the originating IP addresses. Note If the private IP address of the ECS instance is modified or the ownership of the ECS instance is transferred to you by another user, the origin server cannot obtain the originating IP addresses.
Anti-DDoS Pro or Anti-DDoS Premium + Server that is not deployed on Alibaba Cloud	In some cases, the origin server can obtain the originating IP addresses. For more information, see Obtain the actual source IP addresses of requests to an origin server that is not deployed on Alibaba Cloud.

Website service provided by using a domain name

By default, if service requests are forwarded to the origin server by a Layer 7 proxy server, such as an Anti-DDoS Pro or Anti-DDoS Premium instance, the originating IP addresses obtained by the origin server are the back-to-origin IP addresses of the Anti-DDoS Pro or Anti-DDoS Premium instance. The originating IP addresses are recorded in the X-Forwarded-For field. The format is X-Forwarded-For: Originating IP address, Back-to-origin IP address of Anti-DDoS Pro or Anti-DDoS Premium.

If the requests pass through more than one proxy server, the X-Forwarded-For field in the HTTP request header records the originating IP addresses and the IP addresses of all proxy servers. The format is X-Forwarded-For: Originating IP address, IP address of proxy server 1, IP address of proxy server 2, IP address of proxy server 3, .... The proxy server can be a Web Application Firewall (WAF) instance or an Alibaba Cloud CDN (CDN) instance.

A common web application server can use the X-Forwarded-For field to obtain the originating IP addresses of requests.

You can use the following methods to obtain the X-Forwarded-For field in different programming languages:

ASP

Request.ServerVariables("HTTP_X_FORWARDED_FOR")

ASP.NET (C#)

Request.ServerVariables["HTTP_X_FORWARDED_FOR"]

PHP
```
`$_SERVER["HTTP_X_FORWARDED_FOR"]
```

JSP

request.getHeader("HTTP_X_FORWARDED_FOR")

In the X-Forwarded-For field, the IP address before the first comma (,) is the originating IP address of a request.

Note For more information about how to configure common web servers to obtain the originating IP addresses, see Retrieve the originating IP addresses of clients. Common web servers include NGINX, IIS 6, IIS 7, Apache, and Tomcat,