The wordpress page states that this began as an attack against a single server, but continued against the upstream infrastructure.
Without knowing anything more than this, it's impossible to provide any useful advice. So I'll reply in the same vague terms.
There are three steps:
- Determine the nature of an attack, and how it differs from valid, desired traffic.
- Block the bad traffic, and the bad traffic only.
- Go to Step 1, for the next attack.
Can tools like PF help? Sure. Stateful Tracking Options are an easy fix for certain types of DOS attacks. But not for all.
And any sort of PF rule won't help until you reach Step 2. Getting there requires completing Step 1. And that's the hard part.