ECN and it's impact on Intrusion Detection

by Toby Miller Sept. 1, 2017 via Symantec

Recently, there has been some discussion on various mailing lists about the Explicit Congestion Notification (ECN) proposed standard and QUESO/nmap scan detection. The debate has been centered around the two reserve bits in the TCP header (bits 8 & 9) that QUESO sets in a SYN packet and those same two bits being used by ECN.

https://www.symantec.com/connect/articles/ecn-and-its-impact-intrusion-detection