It is a Denial of Service attack that utilizes the Path MTU Discovery technique that most modern tcp/ip stack implementations rely upon.
MTU represents the maximum size (in bytes) for a packet that a node -or more correctly a network interface- can handle. For a successful connection, both the source and the destination host, as well as all the intermediate routers must support the same length. In practice, what's important is that the destination host does not receive any packet of a larger size, which is easy to arrange by negotiating. However there is no guarantee that all the intermediate routers will have the same (or larger) MTU set. So there are two methods to guarantee that the connection will complete sucessfully: Packet Segmentation and Path MTU Discovery.
According to the first method, each packet is send according to the MTU that is reported by the remote host of the connection, which means that if some router inbetween uses a smaller MTU for an interface, the previous router will have to segment the packet, cut it into pieces according to the new MTU, before forwarding it. This means extra work for lots of routers, which is ineficient.
According to the second method, PMTUD (which is our case), each packet is sent again according to the MTU that is reported by the remote side, but now there is a special flag set on it's header, which tells each router that instead of fragmenting the packet if the next link has a smaller MTU, to just deny it and return an ICMP message to the sender, with the MTU of the next node. The sender then, will receive this message and modify the MTU for this connection accordingly. Obviously, this procedure may take place more than once, with the MTU getting smaller and smaller each time until the maximum supported by all the routers is determined.
While PMTUD is great and efficient and the processing overhead under normal ciscumstances is negligible, with a little imagination we can think of a few of ways to exploit it's working way to create additional overhead for one host to the point of a complete denial of service.
