Peplink Intrusion Detection and DoS Prevention

soylentgreen · March 7, 2026, 7:17pm

I am running several servers which were having weird performance problems. I was finally able to debug the problem by running this command on macOS:

netstat -anp tcp | grep '\.443 '

which showed hundreds of tcp4 connections stuck in the “SYN_RCVD” state:

These happen to be Brazilian IP addresses, and we have no customers outside the USA.

Clear evidence of a SYN FLOOD attack.

I checked the Peplink UI and found this:

So I enabled it, and applied changes.

The UI states:

When this option is enabled, the unit will be protected by detecting the following types of intrusion and denial-of-service attack.

Port Scan
NMAP FIN/URG/PSH
Xmas Tree
Another Xmas Tree
Null Scan
SYN/RST
SYN/FIN
SYN Flood Prevention
Ping Flood Attack Prevention

However, it had absolutely zero effect.

Does this feature work at all? I could not see any evidence it does anything.

In any case, I was able to ban that IP range which solved the problem for now, but I’d really like to know if the SYN Flood Prevention works.

This is on a Balance One with latest firmware 8.5.4

soylentgreen · March 7, 2026, 11:55pm

More info - this may not be a traditional SYN flood attack, because if you notice, the source IPs are changing.

Sources suggest this may actually be a SYN Reflection DOS attack, where the source IPs are forged, meaning the “source” attackers are actually the victims in this case.

In any case, it would be good if we could establish whether Peplink’s
(A) SYN Flood Prevention - does it work?
(B) if so, is there a way to protect against this new SYN AMPLIFICATION attack?