DDoS involving forged packets from 220.127.116.11
As noticed in a tweet from @AlecMuffett, there's a large DDoS attack taking place involving forged packets that appear to come from 18.104.22.168.
I have servers on a variety of networks, and
tcpdump shows traffic "from" 22.214.171.124, destination port 80, at all of them. My points of observation are widespread, so this attack is likely spraying much of the IPv4 space. The volume I'm seeing to any given host is only ~25 packets per second, but reflected traffic could be millions of times that number.
CeraNetworks/CloudRadium, the owner of 126.96.36.199/15, is responding to abuse reports with a statement that 188.8.131.52 is the target and not the source of the DDoS.
Dropping traffic to and from 184.108.40.206 can prevent your system from contributing to the reflection:
[root@host ~]# iptables -I OUTPUT -d 220.127.116.11 -j DROP [root@host ~]# iptables -I INPUT -s 18.104.22.168 -j DROP
...or the equivalent for your OS, until the DDoS gets filtered by transit providers.
If you're an AS, please implement BCP38 and prevent spoofed traffic from egressing your network.
If you're an end user, consider installing and running Spoofer to help CAIDA identify networks that still allow this malicious traffic to be sent.
Card image by Sagor Kumar, via Wikimedia Commons