I suppose I wasn't very clear then. Ah well, life.
> I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.
I'm not just talking about finding the originator of the attack; I'm talking about finding and cutting off all the vulnerable systems that facilitate the attacks.