Last week you may have seen this Packet Analysis Challenge posted by at the SANS Internet Storm Center. I downloaded the trace and looked at it using Tcpdump. After about five minutes I recognized the pattern as one I wrote about in late 1999 and presented that paper at SANS 2000.
I submitted a link to my paper as an explanation, and Lorna wrote back
Yes, this traffic falls into the category of the one you discuss in "A Final Case". The traffic I posted was sumitted to us by a university. You are the first person to get this right! Nicely done!
I also wrote about this patten in the DNS chapter in The Tao of Network Security Monitoring.
If you want to read SANS' explanation of the trace, please read today's solution.