Responding to my own post (bad form). But hasn't he just found a network cache? Many firewalls block certain kinds of ICMP traffic for security reasons. So not being able to traceroute to some place is not suspicious in and of itself. So he sets the TTL so that it should not hit Baidu, but I notice in the picture of the last trace that he actually gets a "200 OK". I would not have thought that a man in the middle device would respond because then it would have to also know the content with which to respond. Since this is not the target Baidu machine, this has to be a cache.

It is possible that the cache is also injecting the attack, but I don't actually see anything that suggests this from the data in the article.