following on from yesterday, this time 220.127.116.11/27 which seems to be more of the same thing.
The exploit kit in question is the Goon EK, as shown in this URLquery report. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example).
The easiest thing to do would be to block traffic to 18.104.22.168/27, but I can see the following malicious websites active in that range (all on 22.214.171.124):
Experience with this particular type of exploit kit shows that the bad guys will rotate IPs in the block, so blocking the entire /27 is advised.
At present that consists of just three domains to block, although I suspect there will be more: