DDoS Protection

What causes the eapol start flood? DDoS attack? How to find/localize the source?

In one of my departmental local networks on 60+ computers, a flood periodically occurs with EAPOL Start packages. At some point, the wave of packets exceeds a critical threshold and some computers and devices lose connection.
it all starts suddenly:

and then 10000+ packets per second. The flood can be defeated by restarting the switches in the core and on some branches.
The source of the packet indicates the MAC of the computer that was physically disconnected from the mains at the beginning of the flood. In the previous incident, another computer was indicated, another time there was also a different MAC. The MAC addresses of the various computers are always listed.
My personal opinion is that this is a controlled DDoS attack from the inside, because it always occurs at a crucial moment when I take part in some tenders, or when I go on vacation / time off. This is my third vacation at work, today is actually his first day. Participation in tenders is held every day, but flooding can occur once every 2-5 weeks, 1-2 times per week, 1-2 times during the working day.
I do not have enough experience and knowledge to find a source, and I need advice from outside, because. no one to consult.
UPD:
Today it happened again. The MAC source is different again: