Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default nf_conntrack: table full, dropping packet

    May 6 20:23:55 untangle kernel: [270723.275177] nf_conntrack: nf_conntrack: table full, dropping packet
    May 6 20:23:55 untangle kernel: [270723.281165] nf_conntrack: nf_conntrack: table full, dropping packet
    May 6 20:23:55 untangle kernel: [270723.281168] nf_conntrack: nf_conntrack: table full, dropping packet
    May 6 20:23:55 untangle kernel: [270723.515267] nf_conntrack: nf_conntrack: table full, dropping packet

    Internet performance has dropped off, log full of these messages... what should I do?

  2. #2
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    Using conntrack -L - looks like my conntrack table is full of entries like this - SYN_SENT UNREPLIED

    tcp 6 88 SYN_SENT src=121.198.136.40 dst=116.31.99.109 sport=61555 dport=8500 packets=2 bytes=1816 [UNREPLIED] src=116.31.99.109 dst=121.198.136.40 sport=8500 dport=61555 packets=0 bytes=0 mark=16777216 delta-time=36 use=1
    tcp 6 89 SYN_SENT src=34.127.234.72 dst=116.31.99.109 sport=4310 dport=8500 packets=5 bytes=4680 [UNREPLIED] src=116.31.99.109 dst=34.127.234.72 sport=8500 dport=4310 packets=0 bytes=0 mark=16777216 delta-time=47 use=1
    tcp 6 87 SYN_SENT src=86.111.58.43 dst=116.31.99.109 sport=62245 dport=8500 packets=8 bytes=7320 [UNREPLIED] src=116.31.99.109 dst=86.111.58.43 sport=8500 dport=62245 packets=0 bytes=0 mark=16777216 delta-time=60 use=1

    These source and destination addresses are not known to me. Is this a denial of service attack of some kind?

  3. #3
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    Something odd is going on, I don't understand.

    If I watch tcpdump on what I think is traffic originating from my untangle box, I see a lot of strange traffic:

    tcpdump -Q out -nn
    ....

    22:34:08.953887 IP 105.117.121.19.56164 > 119.63.47.109.8500: Flags [S], seq 3680796250:3680797101, win 63679, length 851
    22:34:08.953891 IP 71.84.170.78.5782 > 119.63.47.109.8500: Flags [S], seq 378953016:378953896, win 65212, length 880
    22:34:08.953909 IP 35.96.158.174.30346 > 119.63.47.109.8500: Flags [S], seq 1988782356:1988783206, win 62236, length 850
    22:34:08.953932 IP 90.130.229.190.34513 > 119.63.47.109.8500: Flags [S], seq 2261879627:2261880481, win 63823, length 854
    22:34:08.953943 IP 68.179.2.241.47598 > 119.63.47.109.8500: Flags [S], seq 3119430453:3119431306, win 60228, length 853
    22:34:08.953947 IP 36.141.45.206.38425 > 119.63.47.109.8500: Flags [S], seq 2518259221:2518260081, win 61015, length 860
    22:34:08.953967 IP 128.15.240.21.56795 > 119.63.47.109.8500: Flags [S], seq 3722123377:3722124266, win 60935, length 889
    22:34:08.953983 IP 73.217.66.36.60461 > 119.63.47.109.8500: Flags [S], seq 3962430010:3962430886, win 60686, length 876
    22:34:08.953999 IP 37.195.40.95.10004 > 119.63.47.109.8500: Flags [S], seq 655674390:655675281, win 65159, length 891

    ....

    these addresses are not familiar to me, and I think it's odd that these should be on my outbound interface given that this is not my external IP. If it were originating from inside my network would it not be NAT'd? So is it originating from my untangle box somehow?

  4. #4
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    I think this is a Trojan on the box, have pulled it and swapped in my old router while restore the configuration

  5. #5
    Untangler
    Join Date
    Jun 2018
    Posts
    31

    Default

    Probably the wise choice, those 116.x.x.x and 119.x.x.x addresses are resolving to the Guangzhou region of China. I'm assuming yours are the ones located just outside of Wichita?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2