Evasion detection is disclosed. Techniques are provided for network
security, including comparing a received header value to a baseline
header value, determining based on the comparison whether a threshold has
been satisfied, and generating an alert if the threshold has been
satisfied. Header values may be representative of data included in packet
headers that, depending upon a data communication protocol in use (e.g.,
TCP, IP, etc.) may include information such as a time-to-live (TTL) value
or IP options. After retrieving a received packet's header value, it is
compared to a baseline header value and, in combination with evaluating a
flip count threshold, used to detect an evasion attempt.