One of the simplest ways to avoid PSD is to simply scan slowly. With default parameters, if 4 privileged ports and 9 non-priviliged ports are hit within 3 seconds, it is classified as a port scan, because 4*3 + 9*1 >= 21.With default parameters, if at least 21 non-privilged ports are hit withing 3 seconds, it is classified as a port scan.With default parameters, if at least 7 priviliged ports are hit within 3 seconds, it is classified as a port scan.
REQUESTS_HI = number of requests to privileged (1024 to 65535) ports within last delay seconds REQUESTS_LOW = number of requests to priviliged (0 to 1024) ports within last delay seconds Lo_ports_weight * REQUESTS_LOW + hi_ports_weight * REQUESTS_HIGH >= threshold If requests from a single IP have gained a value more than threshold in delay seconds, then the IP is classified as a port scanner. Weight of the packet with privileged (1024) destination port.
Ping scanning using TCP ACK:80 and ICMP.The IP address is reverse-DNS resolved to domain name, or vice-versa in case a domain name is specified (to disable, pass -n).If you specify only an IP address or domain name and no other options: List scan simply prints the specified addresses without sending a single packet to the target. The list scan option ( -sL) is useful for making sure that correct addresses are specified before doing the real scan: Note: The ending 0 in the above example does not have an effect: nmap 10.1.1.0/24 and for example nmap 10.1.1.134/24 commands are the same.