I can’t understand nmap’s Null TCP Scan (-sN option)


nmap -sN <ip_address> sends a TCP packet to the IP with null flag values. This scan is supposed to evade firewalls.

There are several things I don’t quite get about this command though:

  1. I noticed on wireshark that the server on which I perform nmap, replies with TCP packets that have RST and ACK flags on [RST, ACK]. But the RFC states that if an opened port receives a packet without an SYN, ACK or RST flag set, the packet should be ignored. So why is there a reply?
  2. Given the fact that the server actually replies: How does nmap know that a port is open/filtered? All the replies have [RST, ACK] flags on, something that provides no information about the status of the port whatsoever.
  3. Why is this technique considered evasive? Why would a firewall not understand the scan? There are still thousands of packets being send in great speeds.

Cheers