A method is provided for preventing denial-of-service attacks on hosts attached to a subnet, where the attacks are initiated by a remote node over an external network. The method is performed by a router which forwards packets between the external network and the subnet. The router receives a packet for forwarding to a destination address in an address space of the subnet according to the IPv6 protocol and looks up the destination address in a Neighbor Discovery (ND) table. The ND table is populated by operations on the subnet that were completed prior to receipt of the packet. Entries in the ND table store address information of the hosts that have been verified by the router to be active. The router forwards the packet to the destination address if the destination address is stored in the ND table. Otherwise, the packet is discarded.