I have seen that too.
In our case, it was a misguided attempt to evade the Blaster worm. In the early days of that worm, some NetAdmins changed the name resolution for windowsupdate.com to 127.0.0.1 to stop any infected machines from attacking windowsupdate.com. Instead, the infected machine attacks itself. In doing so, the infected machine receives the connection, and then replies to its own spoofed source address - which in this case happens to be one of yours. These are the packets we saw: an infected machine's responses to its own self-inflicted attack using your source address as a spoof!
As the original attacking packet is generated inside the infected machine itself, the only way you are going to track this down to a machine is by snooping the segment the packets are coming from, find the MAC address, and trace it to a port. But since this is probably happening off your site, there is very little you can do about it.
Kevin Dorrell,
Luxembourg