Last week there was a distributed denial-of-service attack against Blue Security. In response to that attack, the not-so-thoughtful folks there changed the DNS entry for the target of the attack to the IP address of another host. Specifically, they flooded SixApart.
First, I wouldn’t call this an “incredibly sophisticated” attack, since it simply followed the instructions of a DNS server outside of the control of the attackers. Secondly, the sysadmins at Blue Security apparently need to re-read their BOFH manual or return to the Scary Devil Monastery for instruction.
Changing the DNS entry to 127.0.0.1 or 0.0.0.0 would have been much funnier [evil grin].
With either entry, the packets would return to the sending host, diffusing the attack back on the attackers. Some implementations handle the two addresses differently, but they are essentially the same. The former is the loopback interface while the latter is “this host on this network.” The change would not make the website available under expected name, but would remove the traffic from the network.