Evasion detection is disclosed. Techniques are provided for network security, including comparing a received header value to a baseline header value, determining based on the comparison whether a threshold has been satisfied, and generating an alert if the threshold has been satisfied. Header values may be representative of data included in packet headers that, depending upon a data communication protocol in use (e.g., TCP, IP, etc.) may include information such as a time-to-live (TTL) value or IP options. After retrieving a received packet's header value, it is compared to a baseline header value and, in combination with evaluating a flip count threshold, used to detect an evasion attempt.