Well, we should know more on what kind of traffic the router considers abnormal and marks as a DoS. Unfortunately the example doesn't say anything.
Some things that would be useful to clarify:
- Does the suspicious traffic come from within the network or from the outside?
- Is there some apparent pattern on the traffic? I.e, is it destined to a specific host and coming from multiple soures, or the opposite?
- What is the duration of each "attack" and what hosts of your network does it involve (operating system, role -if they serve as a workstation or to provide some kind of services)
You could configure your router to log the full header information of the traffic, or ideally the whole traffic including the payload. This should provide enough information to tell what's going on