Maybe what you are seeing is a exploit technique used to determine operating system. To fingerprint a network, people use an IP source 0.0.0.0 and a IP destination of 0.0.0.0, set the ACK bit, and broadcast at the Ethernet layer.
Whether it be the casual script kiddie trying out new code or the hard core packeteer trying to remove your service you could not know without firewall forensic...
Just try limitate icmp-type ping and see what happen. If youre running a linux firewall iptables code for linux 2.4.*/2.6.* contains a few chains to play with dos attacks like LOG and MIRROR chains. You can effectively create rate limiters to drop excess packets and avoid DoS.
/sbin/iptables -A INPUT -m limit -p icmp --icmp-type ping --limit 3/second --limit-burst 10 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type ping -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP
This example script will let every ping under 3/second through, and drop the rest and I taken it from http://red0x.no-ip.com/papers/netsec.html.
