Not all of nmap's scan methods are easily detectable. If you don't do OS detection, don't use an exotic scan type (XMas, NULL, FIN), and don't send pings, there should be nothing that identifies the source positively as nmap.

Using -sS is the best for most purposes, if you want the tool to remain undetected use that.

However, an IDS which detects port scans generally will still detect it.

There is a new option that is -sI, which is the "Idle" scan. This works by spoofing packets and bouncing the replies off a "zombie" host (An host with an OS with a known sequential TCP ID generation algorithm) to detect the replies.

Using idle scan, no non-spoofed packets are sent to the target, thus it is very difficult for them to detect the true IP address of the scanner.

I have tested the idle scan (on my LAN only!) and it seems to work. It's not clear what performance or other implications there are though.

To remain entirely undetected is impossible. To effectively cloak your IP address is fairly straightforward.

By combining idle scan and decoy scans (coming from spoofed hosts which aren't really scanning), it would be very difficult for the IDS to determine your true IP address. They would have to contact the ISP of all the IPs which appear to be scanning them, until they find the true one (that would probably fail), but if that succeeded, they would then need to have IDS logs on the zombie to determine the attacker's true IP (again, unlikely).

The attacker would choose a zombie which was known not to have IDS logs of its own (typically a quiet machine left turned on with no services open or processes running). The attacker could also use known public multi-user machines as decoys (example: widely used shell services)

Slarty