Large amount of Conntrack Sessions flooding

sonic

Hi,

I have a tiny VPS with nanovz and use it for reverse proxy.
Today, my vps is suppended due to "Large amount of Conntrack Sessions flooding"

"Conntrack Sessions: 58662
PPS: 18542"

I dont know how to solve this. I install lowendscript on this VPS (nginx only, no mysql, exim,..) and it acts as reverse proxy.

Please help me solve this

KuJoe

Use this command to see all of the sessions: cat /proc/net/nf_conntrack

Once you see the sessions, you can determine what IPs are connecting and over what port, then use the port to discover the protocol.

Also keep in mind that by default, the majority of Linux distros have a max of 65536 sessions so almost 59k is a quite a lot.

bashed

you can limit the conntrack sessions too to slow down the dos attack or whatever is going on with your box.

sonic

@bashed said:
you can limit the conntrack sessions too to slow down the dos attack or whatever is going on with your box.

how to do

wych

@sonic said:
how to do

https://www.google.co.uk/search?q=limit+conntrack+sessions&oq=limit+conntrack+sessions

hausarzt

Depending on what you're doing you could also disable nf_conntrack or mark certain iptables-rules with NOTRACK. Not sure if that works without proper virtualisation though.

SplitIce

Are you aware that Conntrack session exhaustion is usually due to a DDoS? Unless you normally have 58,662 active sessions (TCP Connections, UDP dstip,dstport,srcip,scrport turples)

You can consider NOTRACK'ing, however likely your service will be overwhelmed by the influx of traffic.

If it is small enough you may want to consider enlarging your conntrack table, however it looks like its your providers conntrack table (OpenVZ?) in which case its out of your control.

bashed

sorry for the late response but this could sometime in the future.

limit sessions

/sbin/sysctl -w net.netfilter.nf_conntrack_max=xxxx

xxxx = number

/sbin/sysctl -w net.netfilter.nf_conntrack_count

to check how many sessions