Server freeze

perrera · Nov 10, 2009

Today wake up with a freeze machine, only ping response.
After a manually reboot, checked the logs and found many errors like this:

Code:

kernel: ip_conntrack: table full, dropping packet.

Anyone can help me to clarify why was that?
Thanks.

massive · Nov 10, 2009

I suppose that is a memory issue.
Can you check the outpout of this :
cat /var/log/messages | grep alloc

nobaloney · Nov 10, 2009

Google found me this:

It looks like you have a busy server. The errors meant that you have more TCP connections than the server is configured to keep track of.

Where? This webhostingtalk thread has a lot more information.

Jeff

perrera · Nov 10, 2009

Posible a DoS attack?
How can determine the IPs that drop my server?

scsi · Nov 10, 2009

Use the netstat command to list connections.

netstat -na

perrera · Nov 10, 2009

(sorry for mi english)

Happened again, but this time can make a:

Code:

cat /proc/net/ip_conntrack

My server: 200.29.131.41
Last lines of output:

Code:

...
tcp      6 55 TIME_WAIT src=201.246.171.3 dst=200.29.131.41
sport=20041 dport=80 packets=58 bytes=3018 src=200.29.131.41
dst=201.246.171.3 sport=80 dport=20041 packets=89 bytes=117835
[ASSURED] mark=0 secmark=0 use=1
tcp      6 44 TIME_WAIT src=190.196.4.82 dst=200.29.131.41 sport=52435
dport=35723 packets=8 bytes=424 src=200.29.131.41 dst=190.196.4.82
sport=35723 dport=52435 packets=9 bytes=7790 [ASSURED] mark=0
secmark=0 use=1
tcp      6 17 TIME_WAIT src=190.196.4.82 dst=200.29.131.41 sport=57238
dport=35696 packets=6 bytes=320 src=200.29.131.41 dst=190.196.4.82
sport=35696 dport=57238 packets=6 bytes=4452 [ASSURED] mark=0
secmark=0 use=1
tcp      6 46 TIME_WAIT src=190.196.4.82 dst=200.29.131.41 sport=35724
dport=35158 packets=181 bytes=11956 src=200.29.131.41 dst=190.196.4.82
sport=35158 dport=35724 packets=224 bytes=331876 [ASSURED] mark=0
secmark=0 use=1
tcp      6 36 TIME_WAIT src=190.196.4.82 dst=200.29.131.41 sport=41629
dport=35714 packets=89 bytes=4636 src=200.29.131.41 dst=190.196.4.82
sport=35714 dport=41629 packets=107 bytes=157611 [ASSURED] mark=0
secmark=0 use=1
...

So the 98% of the file has the same ip scr=190.196.4.82, over and over again. This ip is from one of my clients, so I'm assuming that is a kind of VIRUS or an INFECTED PC(s) that generate this connection. So use IPTABLES to drop the connections.

Any theories for this kind of behaviour?

Server freeze

perrera

Verified User

massive

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

perrera

Verified User

scsi

Verified User

perrera

Verified User