nf_conntrack: table full, dropping packet

crshep

• January 07, 2015 16:45

What is this and how do I stop it? It is really messing with the vps. This is only part of it my logs have tones of these lines. For the past few days
Jan 7 14:06:46 server1 kernel: __ratelimit: 3573 callbacks suppressed Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: __ratelimit: 3245 callbacks suppressed Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: __ratelimit: 3260 callbacks suppressed Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet. Jan 7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
Thanks

• 

  24x7server

  • January 08, 2015 12:05

  Hello, I think there is a DDOS attack on your server and your iptables connection_table is full. You will have to increase it with the following command.
  sysctl -w net.netfilter.nf_conntrack_max=141072
  

  0
• 

  24x7ss

  • January 08, 2015 13:39

  The above error shows that connection tracking table is full. There are no security implications on server. You can increase the value in kernel modules by using below command: sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=55000 sysctl -w net.netfilter.nf_conntrack_generic_timeout=60 sysctl -w net.ipv4.netfilter.ip_conntrack_max= Also, install csf firewall or any DDOS application to prevent server from attack.

  0
• 

  cPanelMichael

  • January 08, 2015 15:51

  Hello :) The following thread on a third-party website provides information about this issue: [url=http://security.stackexchange.com/questions/43205/nf-conntrack-table-full-dropping-packet]denial of service - nf_conntrack: table full, dropping packet - Information Security Stack Exchange Thank you.

  0
• 

  crshep

  • January 08, 2015 16:24

  Thanks I'll look into changing the size but CSF is installed on the server I guess I should have stated that in my post sorry.

  0

Please sign in to leave a comment.