SADDNS
https://www.saddns.net/ is a DNS cache poisoning attack that was just released. It uses some details of ICMP to get a side-channel. There is a linux kernel patch that fixes it, but I don't know when it will be available for debian.
The LEAP VPN nodes would be affected by this. The main issue is for our dns servers getting poisoned, allowing an attack against the vpn users.
This is a simple mitigation:
iptables -I OUTPUT -p icmp --icmp-type port-unreachable -j DROP