I chased an intermittent DNS bug for two weeks and for once, it was not DNS:

"PF states limit reached"

If you use opnsense/pfsense, the default state table size of 1.6m can sneak up on you when your network is full of scans. Poking around with `pfctl -si` and setting a much healthier max with aggressive expiration made everything happy again.

Related, runZero handles this problem by actively tearing down middle-box state tables during SYN scans, which ironically means sending twice as many packets, but having a much lower impact on the network as a result.