Attackers normally start network debugging using the traceroute utility, which attempts to map all the hosts on a route to a specific destination host or system. Once the target is reached, as the TTL field will be zero, the target will discard the datagram and generate an ICMP time exceeded packet back to its originator. A regular traceroute will be as follows:
As you can see from the preceding example, we cannot go beyond a particular IP, which most probably means that there is a packet filtering device at hop 4. Attackers would dig a little bit deeper to understand what is deployed on that IP.
Deploying the default UDP datagram option will increase the port number every time it sends an UDP datagram. Hence, attackers will start pointing a port number to reach the final target destination.
