Something odd I'm seeing in my router's logs today.

These are dropped in-bound packets from 172.217.194.153 (si-in-f153.1e100.net) which is a google IP.

If you https to that IP and look at the certificate you'll see a few dozen domains, most of which are various.appspot.com, a few are "thinkwithgoogle.com" and "withyoutube.com" and "app.google".

See also:
[bgp.he.net...]

These started Sept 19 at 9 am and seemed to have ended 7:30 am today although they come in sets separated by some time so they might be still happening.

The source-port is 443 and the destinaton port is highly variable. The destination IP is my WAN ip, and ordinarily when I see that, it means it's a dropped unsolicited packet but when I see the source port as 443 or 80 then I *believe* I'm seeing a dropped packet that was part of a conversation happening between something initiated from my LAN to the web.

Doing some searches for "appspot.com" turns up indications of some possibly malicious activity associated with that domain.

I'm going to be blocking that /24 in the router in both directions and logging this so I can figure out if there is a LAN device initiating contact.

Was wondering if anyone knows anything about those domains or security issues pertaining to them.