My iPhone is receiving unwanted connection attempts from known TOR router addresses

OK - I think I found it. All of the identified servers show up in the server list for PIA (Private Internet Access) VPN. Still not sure why it would be reaching out to these locations when my IP address changes but I guess it may ping some of their hundreds of global servers randomly even if it isn't configured to activate the VPN - I get alerts when it hits one associated with TOR/Malware.

Thanks for the response.

The router is a few years old but an up-to-date Ubiquiti UDM. I was confused as well, and presumed there was some form of unencrypted IP-IP tunneling going on allowing the UDM to decode the ultimate destination. But now I think the problem is with the language used by the Ubiquiti alert system - it reports "blocked incoming" and identifies the remote server as the source and my phone IP as the destination...but there is actually an exchange here (78B sent/74B received). I now believe this is a SYN/ACK handshake initiated by my phone; the firewall only blocked the response. So ultimately the "blocked incoming" message is accurate but not as complete a statement as it could be...and showing the destination as my private IP instead of the WAN address/port it was NAT'd to adds to the confusion. I'll suggest some changes to Ubiquiti on this.

This all makes more sense, but still begs the question as to why my phone is trying to initiate connections to servers in Iceland, Switzerland, Hungary, etc that are associated with TOR routers and flagged as suspicious/malicious in Ubiquiti's threat database (as well as several vendors in VirusTotal). Even if this ultimately turns out to be benign (eg. these IPs are hosting centers that have TOR servers and other malware alongside legit applications) it would still be nice to be able to identify which app(s) on my phone are initiating the traffic.

Note that most, but not all of these events happen when my phone returns home and obtains a WiFi IP address. I suspect the other events, which typically occur in the middle of the night while I'm asleep and my phone is home) are also associated with IP address (re)assignments - perhaps when my router and/or my phone updates and restarts. Ultimately I'm still looking for which app on my phone wants to notify people when my addressing/routing changes...if I ever figure it out I'll report back here.

I'll try to get Ubiquiti to confirm but given what I just figured out about PIA VPN servers on the addresses highlighted in the alerts, I'm pretty sure this is PIA on my phone attempting to initiate a connection that gets NAT'd through the UDM; when the reply comes back it uses the NAT entry to figure out it is intended for my phone, but blocks the packet because of the threats associated with the IP address in their database. Why exactly PIA is trying to initiate connections to global servers when it isn't configured or commanded to initiate a VPN connection is something only PIA can answer for sure - I imagine that PIA distributes updates to their server lists through their servers so they just check in when network settings change