following on from yesterday, this time 18.104.22.168/27 which seems to be more of the same thing.
The exploit kit in question is the Goon EK, as shown in this URLquery report. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example).
The easiest thing to do would be to block traffic to 22.214.171.124/27, but I can see the following malicious websites active in that range (all on 126.96.36.199):
Experience with this particular type of exploit kit shows that the bad guys will rotate IPs in the block, so blocking the entire /27 is advised.
At present that consists of just three domains to block, although I suspect there will be more: