An attacker would still only need to know one path or location, the destination, wouldn't they?
Nope, the attacker would need to make the attacker's server look like the real server from the perspective of each validation server that we used, which could be n different and independent paths. They don't simply have to knock the genuine server offline; instead, they have to be able to be seen as the genuine server by each validation server.