Which is not quite right. Its the way the protocol is defined. Worse still
a FIN to a listening port in itself is legitimate for some TCP close down
paths. You have to ignore the out of sequence FIN for the protocol to work
and you have to RST it for connection close down to work.
Its perhaps about time people worked harder on secure machines so scanning
doesn't matter. With a good grasp of tcp and a lot of paper I think you could
formally prove a scanner has to work.
BTW bored folks might be interested in the other stuff I've been playing with,
"Good Times" is alive and well and works even better on usenet. Using the
netscape and ie3/4 bugs and news articles Content-type: text/html you can
it turns out replicate all the attacks across usenet. Next question to be
resolved - can you run java applets fro news:<articleid> urls, if so has
anyone got a java applet to do the inn hack ... ?