Odd UPD scan

[dmeissner () PUNCHNETWORKS COM (David Meissner)]

For several weeks now I've noticed scans of UDP port 137, but the odd thing
is that the source address is spoofed as a private IP address. I don't
understand how this can be a probe, since they'll never see the replies. It
also doesn't seem like a DOS attack since it's a somewhat slow scan and it
doesn't go on for too long.

Sample log:

00:06:26.478367 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
00:06:27.951993 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
00:06:29.460189 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
00:06:32.475204 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
00:06:32.475338 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
port 137 unreachable
00:06:33.979872 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
00:06:33.980001 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
port 137 unreachable
00:06:35.480653 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
00:06:35.480773 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
port 137 unreachable
00:06:38.491738 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
00:06:38.491874 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
port 137 unreachable
00:06:39.986622 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
00:06:39.986745 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
port 137 unreachable
00:06:41.497638 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
00:06:41.497771 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
port 137 unreachable

This activity goes on for about 40 minutes total to a number of other
addresses, then a similar sequence repeats  about 10 minutes later but only
lasts a couple of minutes. About two hours later they repeat this again for
a couple more minutes. I've seen the same activity from source addresses
like 10.2.2.1. Maybe they're trying to guess our internal network numbers,
but what would be the point?

Can anyone suggest what might be going on?

Thanks,
David Meissner
Punch Networks