APNs and abnormal TCP flag attack detected

OS X Server with Apple Push Notification Services (APNs) enabled can cause ZyXEL ZyWALL USG series devices to log blizzards of errors:

alert Firewall abnormal TCP flag attack detected, DROP local-IP-address:55024 apple-IP-address:2195 ACCESS BLOCK

Key detail here is the target port is used by APNs, and disabling APNs via Server.app does end the blizzard.

Why this is happening, I don't yet know. This will eventually involve Wireshark, most likely.