I chased an intermittent DNS bug for two weeks and for once, it was not DNS:
"PF states limit reached"
If you use opnsense/pfsense, the default state table size of 1.6m can sneak up on you when your network is full of scans. Poking around with `pfctl -si` and setting a much healthier max with aggressive expiration made everything happy again.
Related, runZero handles this problem by actively tearing down middle-box state tables during SYN scans, which ironically means sending twice as many packets, but having a much lower impact on the network as a result.