Last week SANS Internet Storm Center posted a Packet Analysis Challenge. I downloaded the trace and looked at it using Tcpdump. After about five minutes I recognized the pattern as one I wrote about in late 1999 and presented that paper at SANS 2000. I also wrote about this patten in the DNS chapter in The Tao of Network Security Monitoring. If you want to read SANS’ explanation of the trace, please read today’s solution. The traffic I posted was sumitted to us by a university.”]
Source: https://taosecurity.blogspot.com/2006/08/old-man-still-has-it.html