Nearly full conntrack table, 60K lines

[postcd]

Hello,

im having CentOS (redhat) OpenVZ VPS and i do command:

wc -l /proc/net/nf_conntrack

62109 /proc/net/nf_conntrack

sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max

net.netfilter.nf_conntrack_count = 62095
net.nf_conntrack_max = 65536

tail & head on /proc/net/nf_conntrack

shows connection like this one (ESTABLISHED, ASSURED)

ipv4 2 tcp 6 401407 ESTABLISHED src=SOMEONEELSEIP dst=MYSERVERIPHERE sport=53375 dport=80 src=MYSERVERIPHERE dst=SOMEONEELSEIP sport=80 dport=53375 [ASSURED] mark=0 secmark=0 use=2

Apache shows that many different IPs (800+) trying to connect one web directory (which is empty), the connection speed can be like 5 IPs per second.

cat /etc/sysctl.conf | grep =

net.ipv4.ip_forward = 0
# net.ipv4.conf.default.rp_filter = 1
# net.ipv4.conf.default.accept_source_route = 0
# kernel.sysrq = 0
# kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# kernel.msgmnb = 65536
# kernel.msgmax = 65536
# kernel.shmmax = 68719476736
# kernel.shmall = 4294967296

i tried to add these lines into above file, but conntrack table do not decrease:

net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_generic_timeout = 120

then i tried # sysctl -p

net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
error: permission denied on key 'net.netfilter.nf_conntrack_tcp_timeout_established'
error: permission denied on key 'net.netfilter.nf_conntrack_generic_timeout'

# sysctl -a | grep conn | grep time

net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15

I want to ask for kind advice how can anyhow secure server to prevent such high number of lines in connection tracking table? And if i can temporarily clean that table, how? How would you advise to tweak the settings? The server normal connections rate is like 50 connections per second i guess, it is webserver.

Thank you

Update:
1) this helped to temporarily reduce conntrack table size:
yum install conntrack-tools # install conntrack tools
conntrack -D -d MYSERVERIP # delete conntrack entries where destination ip is my server ip

2) And also temporarilly increasing conntrack table size limit: echo 66666 > /proc/sys/net/netfilter/nf_conntrack_max

3) Into /etc/sysctl.conf i added:
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_generic_timeout = 120