ICMP traffic hitting firewall from inside

I have been getting a ton of ICMP traffic on my network.

Here is my environment:

~120 computers, plus servers; three Dell PowerConnect 2624 switches and one PowerConnect 2716.

My firewall shows this:

01/27/06 14:05 firewalld[107]: deny out eth1 40 tcp 20 29 68.143.171.250 68.232.44.65 2745 4631 rst ack (spoofed source address)

We have connected a hub between the switch and the firewall and used Ethereal to sniff traffic. The source and target IPs change almost randomly. Some are IPs that are from my subnet, and some are more like you see from the example above.

The only common thread between all of the packets is the spoofed MAC addys:

Source: 08:00:2B:00:DC:DC Target: 08:00:2B:00:01:02

The source MAC is from DEC equipment. I don't believe any of our devices use DEC technology or should show up as a DEC MAC. I'm open for debate on that subject.

We THINK we have narrowed it down to the x.x.1.0 location, but I'm not entirely convinced.

In any case, it is a significant amount of traffic, and at times pegs the (A) Netopia at 99% CPU, when the (B) Netopia is around 27%.

It has been suggested that there may be someone playing with nmap or other tools, but my users are not technologically adept.

We are a not-for-profit serving the needs of abused women and children, so our users are not what I could call savvy at all. Toss them an IP address, and they'll probably pick up the phone and dial it. I don't believe it is anyone playing with nmap or any other tool.

We have researched this thoroughly and have found some posts on Usenet groups, but no information as to the resolution. Most of the discussions degenerated into waxing ecstatic about DEC equipment or a discussion about using the term VAXen. :P

If I'm trying to track down a spoofed MAC address from, say, a trojan, am I stuck with connecting to every PC, NIC to NIC via crossover cable and ethereal to sniff packets?

Any information would be greatly appreciated.

Thank you.