Thank you!
And sorry to inform, that this answer does not help - it makes it even more confusing. :-)
The only advantage is that I am now sure everything was correctly setup.
My network is a private small network with phisical access for me only in a tiny small village. The attack took place during the night, while all in the house were sleeping. I noticed many "Dst IP session limit!" and "IP spoofing! From" alerts (what on Earth do ip addresses from USA want from me and my firewall???)
Sorry, but it does not make sense.
I also have screening enabled on my untrust interface. Changed the DoS thresholds to 1, maybe they will leave me in peace...
Regards