[rdl]

Can we translate that to something sane? Is it "shorter BGP/more specific route announcement?" Or some kind of MITM by being directly in line? Assuming it is TCP traffic, just being "faster to respond" doesn't help all that much without some other logic.

If I were MITMing with full cooperation of only a subset of a network carrier, I'd probably go for some route announcement tricks; easier to interface with the rest of the organization, and due to lack of filtering internally, not much config change required. Would fail safely (== non-detectably), also, and could potentially be explained away as "oh, shit, some stupid ISP leaked routes".

(I guess you could give bad dns responses, too, and then go from there, but that sounds more detectable at the end user device, which is very undesirable.)