Through sending a forged ICMP "Fragmentation Needed" message to the Linux host,
an off-path attacker can clear the DF (Don't Fragment) flag in IP header, thus
downgrading the IPID assignment for TCP datagrams from the more secure per-socket
based counter to hash based counter (since kernel version 3.9). Then the attacker
can detect a shared IPID counter via hash collisions, which forms a side-channel.
By observing the side channel, the attacker can hijack TCP connections on
the vulnerable Linux host completely off-path.
*** This bug has been marked as a duplicate of bug 1 ***