DDoS involving forged packets from 184.108.40.206
As noticed in a tweet from @AlecMuffett, there's a large DDoS attack taking place involving forged packets that appear to come from 220.127.116.11.
I have servers on a variety of networks, and
tcpdump shows traffic "from" 18.104.22.168, destination port 80, at all of them. My points of observation are widespread, so this attack is likely spraying much of the IPv4 space. The volume I'm seeing to any given host is only ~25 packets per second, but reflected traffic could be millions of times that number.
CeraNetworks/CloudRadium, the owner of 22.214.171.124/15, is responding to abuse reports with a statement that 126.96.36.199 is the target and not the source of the DDoS.
Dropping traffic to and from 188.8.131.52 can prevent your system from contributing to the reflection:
[root@host ~]# iptables -I OUTPUT -d 184.108.40.206 -j DROP [root@host ~]# iptables -I INPUT -s 220.127.116.11 -j DROP
...or the equivalent for your OS, until the DDoS gets filtered by transit providers.
If you're an AS, please implement BCP38 and prevent spoofed traffic from egressing your network.
If you're an end user, consider installing and running Spoofer to help CAIDA identify networks that still allow this malicious traffic to be sent.
Card image by Sagor Kumar, via Wikimedia Commons