raised a question about activity on 220.127.116.11 (Softlayer, Netherlands / Techpreneurs India Pvt Ltd, India), 18.104.22.168 (Game Company, Germany) and 22.214.171.124 (Syntis, France).
I hadn't seen the attack in question until today with this injection attack on a legitimate site, using a Cookie Bomb script   to send victims to a site [donotclick]11p1rjqaahmp7asqbeqd5fx.bouwslim.be via an intermediary hacked site. The malicious domain is hosted on 126.96.36.199 which forms part of this cluster of three servers.
Reverse DNS indicates tens of thousands of malicious sites, mostly subdomains of domains hijacked from customers of a Belgian company called SpeedPacket, but there are also some other malicious .ru domains some of which I have spotted before on a server in Romania.
The SpeedPacket hijacks are interesting. They have been going on since at least July, and it appears that they are being hijacked in alphabetical order. From my perspective, it looks like one domain gets hijacked, used for evil purposes.. and then it either gets cleaned up by SpeedPacket, or the bad guys are returning it once they have used it. I've never seen anything like that before. For example, using the data from VirusTotal, we can map it out as follows:
At the time of writing, only the domain bouwslim.be seems to be resolving, the rest appear to have been cleaned up.
These domains [pastebin] all appear to have been hijacked from SpeedPacket's customers and have been used in CookieBomb attacks. We can count 138 SpeedPacket domains that have been abused so far.
So, how may domains do SpeedPacket look after? We traced back the hijacked domains to their originating servers and found these 2318 domains [pastebin]. 138 out of 2318 doesn't sound too bad, until you realise that the hijack is happening alphabetically and bouwslim.be is the 316th domain on the list.. so, from that date it looks like a shocking 138/316 (44%) of SpeedPacket domains have been compromised so far.
As I said, there are also some other domains hosted on these servers including some malicious .ru domains. I don't recommend that you block the SpeedPacket customers listed, simply because blocking the IPs is simpler and less likely to block a legitimate site.. but still, if it is your network then it is your rules that apply.