I'm currently studying how our hardware firewall works as I write this, and in doing so just got introduced to the concept of stateful packet inspection (SPI), which is the method our firewall uses. From what I understand, SPI prevents DOS attacks by inspecting packets and dropping packets that result from multiple pings from the same location.

So, my question is this: Is there a way an attacker could get around our SPI to successfully launch a DOS against us? At first glance, it wouldn't seem so since the packets would be dropped, but there's almost a way around everything. Perhaps an attacker could succeed using multiple zombies so that packets wouldn't come from the same location and thus not be dropped?