While running an external penetration test, you issue an Nmap SYN scan (nmap -sS) against a company's Internet-facing host. Nmap reports every TCP port as open|filtered, yet employees and customers can reach the web and mail services on that system without any problems. Which network-level countermeasure is most likely causing your scan to produce this result?
Disabling TCP timestamp options on the protected server
A stateful firewall or load balancer configured as a SYN proxy (TCP intercept) in front of the host
An application-layer gateway that requires client-side TLS certificates
A port-knocking scheme that only opens ports after the correct sequence is received
The open|filtered state appears when Nmap fails to receive a TCP response that lets it distinguish between an open and a filtered port. A firewall, load balancer, or router operating as a SYN proxy (sometimes called TCP intercept) answers the attacker's initial SYN on behalf of the protected host but withholds the internal SYN/ACK until the handshake is fully completed. Because Nmap never receives the expected SYN/ACK or RST packets during its half-open scan, it classifies every probed port as open|filtered even though legitimate clients can still complete full connections.
Port knocking hides individual daemons but would also require legitimate users to perform the knock sequence. Simply disabling TCP timestamps or using a NAT device without a SYN proxy does not prevent Nmap from seeing normal SYN/ACK or RST responses, so ports would still be shown as open or closed rather than open|filtered. An application-layer gateway that enforces TLS mutual authentication operates after the TCP handshake and therefore would not affect Nmap's scan results.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SYN proxy in detail?
Open an interactive chat with Bash
Why does Nmap show ports as 'open|filtered' during a SYN scan with a SYN proxy involved?
Open an interactive chat with Bash
What is the difference between a SYN proxy and other firewall mechanisms?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Reconnaissance Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .