diff --git a/sysctl.conf b/sysctl.conf
index 4d9fd77..47586e4 100644
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -230,9 +230,11 @@ net.ipv4.tcp_tw_reuse = 1
 net.ipv4.tcp_max_orphans = 16384
 net.ipv4.tcp_orphan_retries = 0
 
-# Increase the maximum memory used to reassemble IP fragments
-net.ipv4.ipfrag_high_thresh = 512000
-net.ipv4.ipfrag_low_thresh = 446464
+# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
 
 # don't cache ssthresh from previous connection
 net.ipv4.tcp_no_metrics_save = 1