Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

nf_conntrack: table full, dropping packet

Discussion in 'Security' started by crshep, Jan 7, 2015.

  1. crshep

    crshep Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    100
    Likes Received:
    2
    Trophy Points:
    168
    What is this and how do I stop it? It is really messing with the vps. This is only part of it my logs have tones of these lines. For the past few days

    Code:
    Jan  7 14:06:46 server1 kernel: __ratelimit: 3573 callbacks suppressed
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: __ratelimit: 3245 callbacks suppressed
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: __ratelimit: 3260 callbacks suppressed
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.


    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,788
    Likes Received:
    82
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I think there is a DDOS attack on your server and your iptables connection_table is full. You will have to increase it with the following command.

    Code:
    sysctl -w net.netfilter.nf_conntrack_max=141072
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    The above error shows that connection tracking table is full. There are no security implications on server. You can increase the value in kernel modules by using below command:

    sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=55000
    sysctl -w net.netfilter.nf_conntrack_generic_timeout=60
    sysctl -w net.ipv4.netfilter.ip_conntrack_max=<more than currently set>

    Also, install csf firewall or any DDOS application to prevent server from attack.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,672
    Likes Received:
    1,788
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. crshep

    crshep Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    100
    Likes Received:
    2
    Trophy Points:
    168
    Thanks I'll look into changing the size but CSF is installed on the server I guess I should have stated that in my post sorry.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice