DDoS Packet Forensics: Take me to the hex!

John Graham-Cumming and his colleague Marek discovered a DDoS attack against one of their DNS servers, with the source IP address being spoofed. They noticed a correlation between the TTL field in the IP header and the IPv4 source address. The 'random' source port was found to be the first two bytes of the random IP source address reversed. A relationship between the TTL and the first byte of the IP address was also established, as well as one between the DNS ID field and the first two bytes of the source IP. However, the method by which the random source IPs are generated remains a mystery.