pf integration combining BGP information with pf capabilities is very powerful limit states per source address, depending on AS max-src-nodes, max-src-states max-src-conn / max-src-conn-rate help fighting DDoS identify attack origin ASes