There is one (not very complex) additional way to determine
the real source of attack - DNS. If you configure DNS servers
(you and secondaries also) to write log of requests and after
that change your server IP address, you can fix the time
then attacker change address to new. Manual analize of logs
can very limit the number of potential attackers - look at the time
of requests.
- Leonid Yegoshin, LY22