ECN and it's impact on Intrusion Detection

by Toby Miller
Sept. 19, 2017 0 comments Symantec Detection & Response

Recently, there has been some discussion on various mailing lists about the Explicit Congestion Notification (ECN) proposed standard and QUESO/nmap scan detection. The debate has been centered around the two reserve bits in the TCP header (bits 8 & 9) that QUESO sets in a SYN packet and those same two bits being used by ECN.

https://www.symantec.com/connect/articles/ecn-and-its-impact-intrusion-detection