This paper presents the results of research on the way the network security is affected by thecurrent state of TCP-IP protocol suite behaviour. A number of examples of possible issues arepresented. When discussing classes of such issues, it is pointed out that security is affected by theexistence of not only incorrect implementations, but also differences in implementations that canbe used for various purposes.In the main part of the paper an analysis of the traffic collected on an Internet backbone linkfrom the year 1999 up to 2006 is presented. The results show that the predicted behaviour can beobserved in the real-world traffic. The differences between the measurement results and the theoryare analysed, with a more in-depth look into a number of patterns and the changes of the patternsbetween the traffic collected in different years. In addition, an operating system detection tool isused to estimate the operating systems used by the nodes. Then the estimation is compared withanomaly patterns and the conclusions are presented. After analysing the findings, the pros andcons to different possible explanations of the observed patterns are presented, including flaws,attacks, various kinds of errors and steganography.