"A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's line with ping replies, bring the entire Internet service to its knees." Got that from Here, click here
In FIN scanning, due to a poor networking code in the kernel of many Operating Systems, if TCP FIN packet is sent to a port and the port replies with a TCP RST packet, then the port is closed. If there is no TCP RST packet returned, then the port is listening. Got this from here,click here
Hope this is what your asking Woodchip. Sorry if it is not.