congestion indicator in stack and pf with the flag indicating congestion, we can now react. we let pf stop ruleset evaluation and drop the packet as long as it is set state lookups still happen. already established connections are almost unaffected by the CPU time shortage we just drop packets more selectively