Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded because the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages.
To mitigate the risk of reconnaissance or a denial of service attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages.
|