Port Scanning Techniques and Algorithms These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.
When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.
The first one, a FIN scan against Para, identifies all five open ports (as open|filtered ). The next execution, an Xmas scan against scanme.nmap.org doesn't work so well. It detects the closed port, but is unable to differentiate the 995 filtered ports from the four open ones, all 999 are listed as open|filtered.
Another downside of these scans is that they can't distinguish open ports from certain filtered ones. If the packet filter sends an ICMP destination prohibited error, Nmap knows that a port is filtered. But most filters simply drop banned probes without any response, making the ports appear open.