pf suggestions for paced attack

[John]

The script kiddies have apparently figured out that we use some
time-window sensitivity in our adaptive filtering.  From sshd, I've
been seeing "reverse mapping checking getaddrinfo ... failed" and
from ftpd (when I have the port open at all, which is rare), I am
seeing probes at about 27 second intervals.  This stays well below
the 3/30 (three connections in 30 seconds) sensitivity that I had
been using.  It took them nearly two and a half hours to make 154
attemps, but computers are very patient.

I have now changed the timing window sensivity, but it's to the
point now where there's a significant probability that someone could
lock themselves out (temporarily, at least, I do clear these tables
periodically) if they are having a bit of a fat-finger moment with
their password.

Anybody got any superior suggestions?
-- 

John Lind
john at starfire.MN.ORG