There are two different mechanisms of interest here: IP fragmentation (IP packets get broken up into smaller chunks, because intermediate networks have an MTU which is too large to allow them to pass) and TCP segmentation (the TCP stack breaks up payloads into segments no bigger than the requested MSS).

The author here presents two variants of the attack. The UDP variant does indeed rely on IP fragmentation, but the TCP version does not. To mitigate the TCP version, the ALG needs to be aware of the state of the TCP connection. Simple IP fragment reassembly won't be enough.

For the latter, the ALG needs to check that the connection starts with a SIP packet and disable any further processing if does not.

Agreed. I'm labouring the point because a lot of comments here are waving this away as a one-line stateless change ("just check the fragmentation offset is zero"), when in fact it might mean switching from a completely stateless ALG to a stateful ALG. That is a bigger deal from the code complexity point of view, because it means the ALG has to start tracking TCP connections.

I don't see any way the ALG could work reliably without being stateful - after all, the string it's looking for might end up split across multiple packets for any number of reasons out of control of the network hardware.

Perhaps this is the reason why all of these kinds of protocols always seem unreliable...

It might, but in a very high proportion of cases the networking stack takes the happy path and a single logical protocol unit translates directly to a single packet on the wire. That being the practical reality, it's quite possible to write a stateless protocol parser and have it apparently work. Except, as you point out, when it doesn't.

If the device is doing NAT, it already keeps track of whether a TCP connection is new or not. It feels like it should be easy enough to check that state when applying the ALG rule.

Or can a SIP REGISTER happen in a packet after the first?