So it looks like those scans were coming from NCATS.
This is only meant to scan networks associated with the Federal government. I’m guessing there was a misconfiguration, somewhere, ‘cos Panix tell me they never requested any scans of their network :-)
Through a friend I contacted their SOC. I saw another scan yesterday and escalated. They just replied and told me that they’ve removed the IP ranges from their config.
On the plus side, the only thing flagged by their scanning was that I had TRACE enabled on my web site. Everything else looked good :-)