The traffic patterns you should look for are:

• ACK scanning: Multiple ACKs are sent usually to multiple ports in order to break the existing TCP connections

• Unusual flag combinations: This refers to anything with a URG flag, FIN and RST, SYN-FIN, and so on. Unusual flag combinations are not the usual SYN, FIN or RST, with or without ACK. In the following screenshot, you see an example of this scenario. The operations FIN/PSH/URG are together called Xmas scan.

TCP scans with all flags set to zero. This scan is called null scan.

• Massive FIN-ACK scanning: Large number of packets with FIN and ACK flags set to one are sent to multiple ports in order to cause them to be closed or just to flood the network