Network Magic & Linksys Easylink Advisor vs IDS

So a few weeks back, I was asked to investigate a possible SYN flood attack on the VPN segment. SYN flood, really? Well, packet capture after packet capture indicated multiple users on the VPN segment sending, sure enough, SYN packets through the VPN to other machines on the VPN -- pretty odd, why would an end machine try to communicate with other end machines on a VPN connection? Sounds suspicious right? Why and how would vpn clients be allowed to talk to each other in the first place? Well I don't agree with it, but hairpinning is the culprit, and after requests to turn it off were denied, I needed to find another way to halt the activity. Well that's when I decided to tap that connection and listen in on the VPN segment with my Snort box. For a while I didn't get any alerts, then I started getting packets that look like the one below:

GET / HTTP/1.0..

Authorization: Basic YmFkY3JlZDpoaW1vbQo=
..User-Agent: Mozilla/4.0 (compatible;MSIE 5.5; Win32)
..Host: 172.29.136.250
..Connection: Keep-Alive....

Well, Base64 encoding isn't exactly used in my usual packets... so this was a bit odd:

Basic YmFkY3JlZDpoaW1vbQo=..

Decoding it:

:badcred:himom:

That's curious. What's more curious is that every host that was exhibiting the SYN scanning behavior was passing these credentials as well in an intermittent port 80 packet. It turns out that this behavior was programmed into Pure Network's Network Magic product designed years ago. Then Cisco bought them, and it became Cisco's Network Magic. Well, it turns out that the very same behavior is exhibited by Linksys Easylink Advisor (LELA), and all new Linksys Routers come with the software. Now, mind you LELA is a great tool for people that don't know how to setup a network, but when it's on a computer that connects to a corporate network via VPN, your ASA will go nuts with SYN flood alerts and your IDS will cough up alerts as well for suspicious activity. Lesson learned.