When TPB was pretending to be in North Korea, someone proved that they weren't, [1] because of how quickly they responded to a ping. Could someone narrow down the physical location of the firewall similarly?
You can really only use a method like this to say where a server is not (it can't be halfway around the world because the speed of light limits it), but this is assuming you're communicating directly with the server. The method used to inject these packets on the wire makes this sort of analysis even harder to do this sort of analysis (and if there was concern, appropriate amounts of random delay and noise could be added).
>The method used to inject these packets on the wire makes this sort of analysis even harder to do this sort of analysis
I was under the impression that this was a man on the side attack, so they'd sent a bogus SYN-ACK back to you the moment that they saw a SYN. Theoretically, you should still only be dealing with one RTT.
>(and if there was concern, appropriate amounts of random delay and noise could be added).
I don't think China cares if it gets traced back to them.
The man on the side they're performing, according to analysis, seems to be letting the initial SYN through to the original server, you get the SYN-ACK back from the actual Baidu server. Then after your ACK and HTTP GET, the other packets are injected. If they wanted to make the attack more subtle, messing with the timing to make it match the original SYN-ACK pair and keeping the right TTL values would make it much harder to detect.
"On your second question, it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it."
[1]: https://rdns.im/the-pirate-bay-north-korean-hosting-no-its-f...