UDP, one of the major transport protocols for multiple popular services such as DNS and video conferencing, is an important component of today’s network. Its reliance on IP fragmentation is known to cause both security and reliability issues. To avoid fragmentation, UDP-based applications hence usually limit the payload size. Currently, Linux’s IP fragment reassembling algorithm relies on a per-network-namespace buffer size limit. That is, a classic resource-exhaustion DoS attack against UDP services relying on IP fragmentation is possible. However, the fragility of present real-world services has not yet been thoroughly researched. In this paper, we examine the practicability of such an IP-fragmentation-based DoS attack against real-world providers of popular UDP-based services, including VPN, video conferencing, and RADIUS. We assess the attack from both the client and service provider perspectives. On the server side, we observe that many real-world service providers fragment the server-to-client traffic with respect to artificially small path MTUs when receiving attacker forged ICMP Fragmentation Needed messages. On the client side, we show the chance of dropping server-to-client fragmented traffic by flooding Linux-based NAT gateways with bogus fragments. Through simulated attacks, we demonstrate that the fragmentation-based DoS attack is realistic, affecting various providers such as Zoom and ExpressVPN. We conduct a comprehensive disclosure to affected parties and suggest possible mitigations.
Usenix Security Symposium (USENIX-Security)
2026-08-14
2026-06-26