nf_conntrack: table full, dropping packet

ip_conntrack or nf_conntrack : table full, dropping packet

 SOLUTION VERIFIED - Updated August 4 2020 at 1:57 AM -

Issue

  • What do the following messages in the system log mean?
ip_conntrack: table full, dropping packet.

nf_conntrack: table full, dropping packet.
  • Packet drops on this system for connections using ip_conntrack or nf_conntrack iptables modules.
  • Messages seen in /var/log/messages on the compute nodes when one of the instances drops packets

Environment

Asked 7 years, 1 month ago
Viewed 91k times
22
11

I see a lot of these messages in /var/log/messages of my Linux server

kernel: nf_conntrack: table full, dropping packet.

kernel: __ratelimit: 15812 callbacks suppresse

while my server is under DoS attack but the memory is not still saturated. I am wondering what is the significance of the message and how to counter possible security implications.

Rory Alsop

60.9k1111 gold badges111111 silver badges310310 bronze badges
asked Oct 2 '13 at 5:44
hnn

93722 gold badges88 silver badges1212 bronze badges

3 Answers

21
 

The message means your connection tracking table is full. There are no security implications other than DoS. You can partially mitigate this by increasing the maximum number of connections being tracked, reducing the tracking timeouts or by disabling connection tracking altogether, which is doable on server, but not on a NAT router, because the latter will cease to function.

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000

sysctl -w net.netfilter.nf_conntrack_generic_timeout=120

sysctl -w net.ipv4.netfilter.ip_conntrack_max=<more than currently set>
share  improve this answer  follow 
answered Oct 2 '13 at 8:13
Matrix

3,7881212 silver badges2525 bronze badges
  • 3
    These names may be different depending on your distro and kernel. You can discover their names by running sysctl --names --all | grep -i conntrack. Remember to edit /etc/sysctl.conf 

最新文章

  1. HttpSession与Hibernate中Session的区别
  2. 小菜学习Winform(七)系统托盘
  3. 无法识别特性“configProtectionProvider”的解决方案
  4. struts2 拦截器
  5. ZipFile解压文件不改变压缩包内文件修改日期的方法
  6. Windows 8操作技巧之快捷键大全
  7. 多校赛3- Painter 分类: 比赛 2015-07-29 19:58 3人阅读 评论(0) 收藏
  8. Ubuntu根目录下各文件的功能介绍
  9. (转)基于PHP的cURL快速入门
  10. vector的含义
  11. 『战略游戏 最大利润 树形DP』
  12. DWR第五篇之文件上传
  13. v-text v-html等指令的使用
  14. 虹软2.0 免费人脸识别C#类库分享
  15. js实现页面与页面之间传值的几种方法优劣
  16. 【代码审计】711cms_V1.0.5 目录遍历漏洞分析
  17. 控件无法安装的问题-Unable to execute file
  18. java设计模式--七大原则
  19. SQL事务的四种隔离级别
  20. jsp页面遍历输出

热门文章

  1. c++ vector容器浅析
  2. Redis 6.1 redis-cluster-proxy 实践说明
  3. K8S 本地 配置 Local PV 实践
  4. Python函数参数和注解是什么
  5. Mysql多表合并以及连接问题
  6. java面试-谈谈你对OOM的理解
  7. Python简单实现杨辉三角
  8. 【Git基本命令】
  9. BUAAOO第二单元代码分析
  10. Sqlmap的基础用法(禁止用于非法用途,测试请自己搭建靶机)