You may not need to block all of your overloaders
Such as a mail or web service -
put overloaders in a minimal-bandwidth queue (ALTQ)
rdr overloaders to specific site/address
or if you just want to be evil:
match from <bruteforce> set prio 0 block from <bruteforce> probability 67%