TCP segment length 0

Hi,
I have a lot of packets from iPhones which get denied:

2019-08-31 19:11:28 Deny 192.168.9.21 31.13.72.8 https/tcp 51728 443 103-Home network Firebox invalid 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 51827881 win 0" Traffic
2019-08-31 19:11:28 Deny 192.168.9.21 31.13.72.8 https/tcp 51728 443 103-Home network Firebox invalid 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 51827881 win 0" Traffic

All packets have tcp segment length = 0 - but is it by design fireware (12.5U1) deny these packets?

Pcap

Robert

Comments

  • I'm not seeing these from 2 iPhones here (home). But we don't do much web access with the iPhones while here.
    Both running ios 12.4

  • well, real question is, should fireware block these type of packets as invalid?

  • What is the purpose of a zero length segment ?
    Seems like they really shouldn’t exist - so maybe an invalid deny is appropriate

  • It is going to Facebook.. It is better to deny it - one never knows what that crowd is planning next.. Remember Cambridge Analytics?

    Adrian from Australia

  • could it no be some sort of keep alive packet?

  • the iPhone even do it on secure imap connections:
    2019-09-01 17:53:05 Deny 192.168.9.21 46.30.211.111 imaps/tcp 53265 993 103-Home network Firebox invalid 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 886560318 win 0" Traffic

Sign In to comment.