A maioria dos sistemas operacionais modernos é imune ao ataque de "ping-of-death". A partir do IPCHAINS HOWTO ( link ):
5.3 Filtering out Ping of Death
Linux boxes are now immune to the famous Ping of Death, which involves sending an illegally-large ICMP packet which overflows buffers in the TCP stack on the receiver and causes havoc.
If you are protecting boxes which might be vulnerable, you could simply block ICMP fragments. Normal ICMP packets aren't large enough to require fragmentation, so you won't break anything except big pings. I have heard (unconfirmed) reports that some systems required only the last fragment of an oversize ICMP packet to corrupt them, so blocking only the first fragment is not recommended.
Você pode remover fragmentos icmp com algo assim:
iptables -A FORWARD -p icmp -f -j DROP
Mas, novamente, a menos que você esteja tentando proteger alguns equipamentos antigos, isso provavelmente é desnecessário.