DDoS involving forged packets from 18.104.22.168
As noticed in a tweet from @AlecMuffett, there's a large DDoS attack taking place involving forged packets that appear to come from 22.214.171.124.
I have servers on a variety of networks, and
tcpdump shows traffic "from" 126.96.36.199, destination port 80, at all of them. My points of observation are widespread, so this attack is likely spraying much of the IPv4 space. The volume I'm seeing to any given host is only ~25 packets per second, but reflected traffic could be millions of times that number.
CeraNetworks/CloudRadium, the owner of 188.8.131.52/15, is responding to abuse reports with a statement that 184.108.40.206 is the target and not the source of the DDoS.
Dropping traffic to and from 220.127.116.11 can prevent your system from contributing to the reflection:
[root@host ~]# iptables -I OUTPUT -d 18.104.22.168 -j DROP [root@host ~]# iptables -I INPUT -s 22.214.171.124 -j DROP
...or the equivalent for your OS, until the DDoS gets filtered by transit providers.
If you're an AS, please implement BCP38 and prevent spoofed traffic from egressing your network.
If you're an end user, consider installing and running Spoofer to help CAIDA identify networks that still allow this malicious traffic to be sent.
Card image by Sagor Kumar, via Wikimedia Commons