Michael Horowitz
Home => What is my iPad doing?
[Formatted for Printing] From the personal web site of  Michael Horowitz

What is my iPad doing?

June 18, 2020

I know enough about computer networking to be dangerous, without actually being a real expert. For example, I know that IP v4 addresses that start with 10 are for internal use only and that no IP address on the public Internet will ever start with 10.

Knowing this, I set up an outbound firewall rule in my router (a Pepwave Surf SOHO) that both blocks and logs any attempt to communicate with a 10.something IP address. Do real experts do this? Dunno.

There are two other groups of IP v4 addresses that are reserved for internal use only and my router blocks and logs those too. This results in more logging than I care to research. I make a note of these oddball communication attempts and mentally file them away.

Back in October I blogged about Private IP addresses on the Public Internet which described one such incident. In that case, a Windows 7 computer was using UDP (as opposed to TCP) to phone home to port 55523. The computer had an internal IP address of 10.1.2.3 and it repeatedly tried to contact both 10.8.0.11 and 192.168.0.4. That blog also showed the firewall rules that are configured in my router.

The reason for this blog, is that the culprit this time was my own iPad, running the latest and greatest edition of iOS version 13.5.1.

As you can see below, in a span of 14 seconds, it made 25 attempts to contact IP address 10.0.0.146. On my LAN, the iPad was in an isolated VLAN and its IP address was 10.2.2.110. All the devices in its VLAN have an IP address that starts with 10.2.2.

There is no reason for it to communicate with any device whose IP address starts with 10.0.0. This was not a subnet used by any other VLAN on my LAN and, even if it was, the VLAN with the iPad does not allow inter-VLAN communication. Heck, it does not even allow devices in the VLAN to see each other.

17:52:35 Denied DST=10.0.0.146 ID=9307  PROTO=UDP SPT=62010 DPT=51625
17:52:35 Denied DST=10.0.0.146 ID=41919 PROTO=UDP SPT=62010 DPT=51625
17:52:34 Denied DST=10.0.0.146 ID=46686 PROTO=UDP SPT=62010 DPT=51625
17:52:34 Denied DST=10.0.0.146 ID=22483 PROTO=UDP SPT=62010 DPT=51625
17:52:33 Denied DST=10.0.0.146 ID=57511 PROTO=UDP SPT=62010 DPT=51625
17:52:32 Denied DST=10.0.0.146 ID=17655 PROTO=UDP SPT=62010 DPT=51625
17:52:32 Denied DST=10.0.0.146 ID=43464 PROTO=UDP SPT=62010 DPT=51625
17:52:31 Denied DST=10.0.0.146 ID=62561 PROTO=UDP SPT=62010 DPT=51625
17:52:30 Denied DST=10.0.0.146 ID=10289 PROTO=UDP SPT=62010 DPT=51625
17:52:30 Denied DST=10.0.0.146 ID=18283 PROTO=UDP SPT=62010 DPT=51625
17:52:29 Denied DST=10.0.0.146 ID=21681 PROTO=UDP SPT=62010 DPT=51625
17:52:29 Denied DST=10.0.0.146 ID=50132 PROTO=UDP SPT=62010 DPT=51625
17:52:28 Denied DST=10.0.0.146 ID=36854 PROTO=UDP SPT=62010 DPT=51625
17:52:27 Denied DST=10.0.0.146 ID=33866 PROTO=UDP SPT=62010 DPT=51625
17:52:27 Denied DST=10.0.0.146 ID=28890 PROTO=UDP SPT=62010 DPT=51625
17:52:26 Denied DST=10.0.0.146 ID=47313 PROTO=UDP SPT=62010 DPT=51625
17:52:25 Denied DST=10.0.0.146 ID=42510 PROTO=UDP SPT=62010 DPT=51625
17:52:25 Denied DST=10.0.0.146 ID=43008 PROTO=UDP SPT=62010 DPT=51625
17:52:24 Denied DST=10.0.0.146 ID=33157 PROTO=UDP SPT=62010 DPT=51625
17:52:24 Denied DST=10.0.0.146 ID=63189 PROTO=UDP SPT=62010 DPT=51625
17:52:23 Denied DST=10.0.0.146 ID=26136 PROTO=UDP SPT=62010 DPT=51625
17:52:22 Denied DST=10.0.0.146 ID=51953 PROTO=UDP SPT=62010 DPT=51625
17:52:21 Denied DST=10.0.0.146 ID=49932 PROTO=UDP SPT=62010 DPT=51625
17:52:21 Denied DST=10.0.0.146 ID=10627 PROTO=UDP SPT=62010 DPT=51625
17:52:21 Denied DST=10.0.0.146 ID=27441 PROTO=UDP SPT=62010 DPT=51625
an iPad running iOS 13.5.1 makes mysterious network connections

Just like the Windows 7 computer I wrote about last time, my iPad used UDP to contact a very high numbered port, in this case 51625. Ports in this range have no pre-defined usage. The source port was always 62010. For real network experts, below are some other attributes of the outbound connection attempts.

LEN=140 TOS=0x00 PREC=0x00 TTL=63 LEN=120 MARK=0x2

Apple publishes information about the ports their software uses: TCP and UDP ports used by Apple software products and About macOS, iOS, and iTunes server host connections and iTunes background processes. Nothing there about port 51625.

So, what the heck is going on?

I can't tell if the source of the network connection is an app or the operating system itself. My router can function as a network sniffer and it can generate pcap files to feed into Wireshark. Still, I don't think this can identify if the bits came from the OS or an app.

Even then, are these outgoing transmissions on purpose or is it a bug? Dunno.

 

 

 @defensivecomput TOP Home => What is my iPad doing?   
 michael--at--michaelhorowitz.com   Last Updated: June 18, 2020 11PM UTC  
  License Plate
Copyright 2001-2020
Copyright 2001-2020  
Printed at:   December 4, 2020 11:18pm   ET
Viewed 1,428 times since June 18, 2020 (8/day over 169 days)