Yes, I was wondering whether the original packets arrive or not as well. I'd love to see the traces. In my quick read of the this article I couldn't understand the method that they used to make their determination. Was it the bad packets or the good packets that had the TTL rewritten? The fact that there is a system rewriting packets does not necessarily imply it is an attack. I once wrote a SIP client and the local ISP actually rewrote my headers -- I had a bug in the header and just sending it through the network rewrote it so that it was fixed. This was in Canada. As a result, I have absolutely no doubt that packets are being rewritten all over the place, not just in China. Detecting this is not proof in itself that this is the origin of the attack.
Responding to my own post (bad form). But hasn't he just found a network cache? Many firewalls block certain kinds of ICMP traffic for security reasons. So not being able to traceroute to some place is not suspicious in and of itself. So he sets the TTL so that it should not hit Baidu, but I notice in the picture of the last trace that he actually gets a "200 OK". I would not have thought that a man in the middle device would respond because then it would have to also know the content with which to respond. Since this is not the target Baidu machine, this has to be a cache.
It is possible that the cache is also injecting the attack, but I don't actually see anything that suggests this from the data in the article.
