What are the trigger thresholds for DoS Prevention, such as SYN Flood and Ping Flood?

General
1

Hi Peplink Team and Community,

I would like to ask about the Intrusion Detection and DoS Prevention feature on Peplink routers.

After enabling this option, the help message says the unit will detect and protect against the following types of intrusion and denial-of-service attacks:

  • Port Scan
  • NMAP FIN/URG/PSH
  • Xmas Tree
  • Another Xmas Tree
  • Null Scan
  • SYN/RST
  • SYN/FIN
  • SYN Flood Prevention
  • Ping Flood Attack Prevention

My question is mainly about the trigger thresholds.

For example:

  1. For SYN Flood Prevention, how many SYN packets per second, half-open sessions, or connection attempts will trigger the protection?
  2. For Ping Flood Attack Prevention, how many ICMP packets per second will trigger the protection?
  3. For Port Scan detection, how many ports or connection attempts within what time window will be considered a port scan?
  4. Are these thresholds fixed internally by the firmware, or can they be adjusted by the administrator?
  5. Do the thresholds vary depending on the Peplink device model, firmware version, WAN bandwidth, or current system load?
  6. When the protection is triggered, what action does the device take? For example, does it drop packets, temporarily block the source IP, rate-limit the traffic, or only generate logs?
  7. Where can we check the logs or event records when DoS Prevention is triggered?

Thank you.

4 Likes
2

Hi Heisenberg.pian ,

Hope the below info can help :smiley:

Port Scan / Xmas Tree / Null Scan / SYN+RST / SYN+FIN :
These are not threshold-based. They detect illegal TCP flag combinations that should never appear in normal traffic:

Attack Type TCP Flags
Xmas Tree Scan FIN + PSH + URG
Full Flag Scan All TCP flags set
Port Scan Variant FIN + SYN + RST + ACK + URG
Null Scan No flags set
SYN+RST SYN and RST together
SYN+FIN SYN and FIN together

Action: Any single packet matching these patterns is immediately dropped the packets — these flag combinations are inherently malicious and never occur in legitimate traffic.

1.SYN Flood Prevention
Tracked per source IP with two tiers:

Tier Threshold Action
Tier 1 More than 100 SYN packets within 1 second Log and drop traffic
Tier 2 More than 250 SYN packets within 5 seconds Log and drop traffic

Once either threshold is exceeded, subsequent SYN packets from that source IP are dropped.

2.Ping Flood Attack Prevention:
Tracked per source IP:
200 ICMP echo requests within 2 seconds (effectively >100 pings/sec) from the same source IP

Action: Once threshold is exceeded, subsequent ICMP packets from that source IP are logged and dropped.

3.Port Scan detection | Threshold ?
Refer to the above variant explanation above.

4.Are thresholds adjustable?
Those detection method that based on thresholds, The thresholds are fixed in the firmware and are not configurable by the administrator through the WebAdmin.

5.Do thresholds vary by model/firmware/bandwidth?

No. The thresholds are the same across devices. They are based on packet counts per source IP, not bandwidth or system load.

6.What action does the device take?

All detections result in packet drops:

  • Port scan / Xmas / Null / SYN+RST / SYN+FIN → immediate drop (any matching packet)

  • SYN Flood → drop once per-source-IP threshold is exceeded

  • Ping Flood → drop once per-source-IP threshold is exceeded

All events are also logged with an IDS Alert: prefix, rate-limited to 5 log entries per minute to avoid log flooding.

7.Where to check logs?
Events are logged with the prefix IDS Alert: and can be viewed in:

  • System event log on the device
  • Remote syslog server if configured
4 Likes