Nmap and its decoy lists. This is probably the culprit. I can send a scan to a target, and set a decoy list as well. This sends my scan along with a number of spoofed IP's that show up in the firewall's or ids's log files. As an admin, looking at the logs show that 20 different IP's are doing the same scan...which one is the real attacker?
I could set a decoy list for 10.1.1.1, 10.1.1.2, etc, etc.
I'm sure this is, or something like this, is the issue.
Just my theory anyway....