An attacker uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present. When a TCP ACK segment is sent to a closed port, or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with a RST. Getting RSTs back in response to a ACK scan gives the attacker useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs the port is marked as filtered. When RSTs are received in response, the ports are marked as unfiltered, as the ACK packets solicited the expected behavior from a port. When combined with SYN techniques an attacker can gain a more complete picture of which types of packets get through to a host and thereby map out its firewall rule-set. ACK scanning, when combined with SYN scanning, also allows the attacker analyze whether a firewall is stateful or non-stateful. If a SYN solicits a SYN/ACK or a RST and an ACK solicits a RST, the port is unfiltered by any firewall type. If a SYN solicits a SYN/ACK, but an ACK generates no response, the port is statefully filtered. When a SYN generates neither a SYN/ACK or a RST, but an ACK generates a RST, the port is statefully filtered. When neither SYN nor ACK generates any response, the port is blocked by a specific firewall rule, which can occur via any type of firewall.1. Speed: TCP ACK scanning is fast compared to other types of scans2. Stealth: TCP ACK scanning is stealthy3. Open Port: Cannot detect open ports4. Closed Port: Cannot detect closed ports5. Filtered Port: Can detect stateful vs non-stateful filters when combined with SYN probes6. Unfiltered Port: Can detect unfiltered ports when combined with SYN probes