It is not correct what you write. The default firewall on a small device blocks this traffic. And on a large device (CCR/CHR)
it is the full responsibility of the admin to setup a firewall to secure the router.
What would you have Mikrotik change about MNDP's behavior? Requiring authentication of some kind is counter to the purpose of MNDP.
add action=drop chain=input dst-address-type=!broadcast dst-port=5678 log-prefix="" protocol=udp
Sure, Mikrotik could require MNDP to accept only broadcast. There are some benefits to allowing unicast. An administrator might want to poll his entire AS with MNDP for example.
I think you should configure a default-deny firewall.I still feel MNDP should only accept broadcast.
I simply do not see this as a problem. A standard firewall config with a default drop resolves any potential issue.While I am happy to accept those suggestions relating to firewall rules there does seem to be a hint of ignoring the root problem. After all neighbour discovery is exactly that - not for discovering devices halfway around the world!!
So I was kinda busy and did not get a chance to look at this. However it seems I am right and all you guys are WRONG!!!I simply do not see this as a problem. A standard firewall config with a default drop resolves any potential issue.
Do you disable the DNS, WWW, API, and SSH services, or otherwise block public access to those services on routers you administer? If so, why do you do that? If not, you may want to check for signs of compromise or abuse.