On modern servers, for example Windows Server 2012 R2 you might see “suspicious” traffic to IP addresses 220.127.116.11 or 18.104.22.168 on port 3544. This traffic is coming from the Microsoft Teredo implementation. These IP addresses actually resolve to terodo.ipv6.microsoft.com
What is teredo?
Teredo is a protocol that allows computers behind a NAT firewall (most home computers are) and without a native IPv6 connection to access remote IPv6 resuorces. The idea is that home users can start accessing IPv6 web services before their local connection supports the protocol, making the transition from IPv4 easier.