This time around, packets from one of my own DNS servers. If you would like to follow along, you can find the full unobfuscated packet trace here. (quick update... turns out that the router and DNS queries involved are part of www.nlnetlabs.nl, a network research labs that does experiment with DNS servers... so maybe this is all some side effect of an experiment they are running. Thanks to Don for pointing this out to me. After visiting their website, I did see a number of similar ICMP admin prohibited packets with flipped fragmentation bytes, but the embeded packet's source port was 80!

The link for this article located at SANS is no longer available.