[原文]The ICMP path MTU (PMTU) discovery feature in various UNIX systems allows remote attackers to cause a denial of service by spoofing "ICMP Fragmentation needed but Don't Fragment (DF) set" packets between two target hosts, which could cause one host to lower its MTU when transmitting to the other host.
Multiple Vendor ICMP Path MTU Discovery Spoofing DoS
Remote / Network Access
Denial of Service,
Loss of Availability
Linux, some variants of BSD, and possibly other operating systems contain a flaw in their TCP/IP stacks that may allow a remote denial of service. The issue is triggered when spoofed "fragmentation required but DF set" ICMP packets (ICMP type 3, code 4) are sent to the machine. This will cause the machine to lower the MTU for connections to the spoofed address, significantly slowing throughput and efficiency, and will result in loss of availability for the platform.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.