Conntrack backdoor

I see this error more and more often, symptom is connection slow down for a moment when LAN is penetrated and then connections resumes usually after few minutes.
Any idea how protect LAN devices from this attack?
Google search shows a lot of complaints about this error but could not find solution:

conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module

1 Like

I see the same error periodically on my device too, although I haven't notice any connection slowness or interruption as a result. What makes you think this is the result of an attack?

I did search around a few months ago and came to the conclusion that a couple of additional kernel modules (kmod-gre & kmod-ipt-nat-extra) might make the warning go away, but I haven't tried this to confirm.

This thread claims the kmod-nf-nathelper-extra kernel module should be loaded to stop this error. Can't seem to find my source for the 2 modules I mentioned above...

Regardless, I think this is a harmless warning but would be interested in someone more knowledgeable chiming in with details and to confirm.

That warning is just about conntrack highlighting that is has seen a packet that uses protocol 47 and it does not have a helper function for that installed by default. But unless you use stuff utilizing protocol 47, there is not much reason to install any new module. Similar messages can surface for several protocols as netfilter was changed a few years ago to not include all protocol helpers by default.

But no idea how that could be related to any backdoor and connectivity problems of OP.

1 Like

Thanks for the explanation @hnyman .

Around time the error shows up my wemo switches are acting up, just timing coincidence that looked suspicious. Did not find confirmation in logs.
Then after reading this: section on manual anti-spoofing, I got concerned there could be a flaw in "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" implementation. There error could be like fingerprint of flaw.