Why would a stealth scan attract more attention than a connect scan?
Nmap, like any adversary tool, can be fingerprinted by Intrusion Detection Systems (IDS). As such, any of Nmap's techniques are generally classified as an attack by these modern tools -- especially Next-generation Firewall (NGFW) technologies, or the bleeding-edge equivalents of NGFWs.
Additionally, information sharing alliance centers (ISACs) are sharing Cyber Threat Intelligence (CTI) indicators (often shown as Indicators of Compromise, or IoCs) that involve either
- IP addresses that original attacker traffic, such as Nmap, and thus would be blocked or detected by an organization that has a CTI team, consumes CTI feeds, or has products or service that include a CTI element
- Network traffic signatures, such as Snort (N.B., Snort is a very popular free, open-source IDS) rules, that contain information about how Nmap works -- especially Nmap's "stealthy" scans, e.g., NULL, FIN, ACK, Window, SYN, et al
Which book are you referring to? Given the context, it appears that the author is discussing how SYN scans are potentially more noisy on a network than TCP connect() scans. This is because the SYN scan does not complete the full TCP handshake. Again, IDS/IPS, UTM, NGFW, and CTI defensive techniques will detect the SYN scan, much like many other Nmap methods and many other network penetration-testing tools and techniques.