As far as tracking DoS, I've read some good papers on the subject and it always boils down to tracking MAC addresses and going interface by interface to the source, demanding inter-ISP cooperation, and finally legal assistance. This has been tried during a few severe instances with poor results.
That's the obvious solution to the problem if the problem is how to track down the source(s) of a DoS attack. However, in any DoS attack, there is always a victim and one or more devices sending attack traffic to the victim. The owners of the attacking devices are accessories to the crime although I'm sure they could plead ignorance and avoid any liability. But what if they could not plead ignorance? What if we could identify some of the attacking devices, and what if the victim sent a legal "cease and desist" letter to the owners of the attacking devices? Now, the victim is in a position to sue the owners of these attacking devices if they don't fix the problem by securing their machines. And once this happens and gets some press coverage, a whole bunch of other machine owners will wake up and realize that they could be stuck with big legal bills if they don't secure their machines. So, to restate the problem, how do we identify some of the sources of a DoS attack quickly, maybe even while the attack is still in progress?
Bots/Zombies are traded openly on IRC and there is no accountability for personal security. ISPs won't shut someone down because they've been "hacked", merely send them a warning Email or call--a process that takes days in my experience.
How many ISPs would identify the user of an IP address for the purposes of sending a "cease and desist" letter when contacted by a lawyer? Considering that failure to provide the identity would result in the ISP themselves getting sued by the DoS victim? As long as *SOME* ISPs would cooperate with a DoS victim, there is enough to get the legal ball rolling. The alternative is to painfully backtrack until you find an uncooperative ISP and then sure them. As I said before, if there was a central registry something like dshield.org that collected data on the destination IP addresses of DoS attacks along with estimated magnitude based on analysing the traffic from random source addresses blocked by ingress filters, then we have something an ISP can use to analyze their outgoing traffic. If you are an ISP and you have netflow data that contains destination addresses which also occur in the DoS victim registry then you should be willing to act on that data. Of course, it's up to you what you do with it. You may offer the DoS victim the identity of the source provided that they serve you with the right legal documents. Or you might go to the owner of the machine yourself with the evidence and warn them that they are aiding and abetting cyber terrorists and could suffer the legal consequences if they don't secure their machines. It's certainly not perfect but it's worth a try. --Michael Dillon