in the mean time you could try and find the differences between the DDOS packets & the good packets by doing packet captures (& analyzing them in wireshark)
If you set pfBlocker to "native alias" instead of block, that will just create an alias and you can create your own block/allow rules however you want them.