real life interrupts Henning had a big distributed synflood at work firewalls so busy, couldn't even work on the console so add the congestion handling detect overload: input queue is full is a clear indicator pf stops ruleset eval for 10ms and just does state lookups still dropping packets, but much more selectively than before preferring established over new connections