Having chosen the target, the hacker doesn't rush to implement an attack. First, it is necessary to make sure that there are no typical honeypot attributes present (the host serves external traffic, has a configuration different from the default one, is legally used by other participants of the network, etc). Now, the hacker might thrill the administrator by actively scanning ports and periodically sending various senseless but apparently threatening strings imitating an attempt at a buffer overflow attack. In this case, it would be difficult to understand whether an actual buffer overflow took place and which query caused it.
This bombardment must be carried out through a secure link (although port scanning that doesn't result in unauthorized access is not illegal, in practice the situation is regulated by " jungle law").