If the traffic passes through ANS, call the NOC or send e-mail to
firstname.lastname@example.org. We can generally tell you where the traffic came
into ANS, even after the fact. You then go to the next NOC down the
line. Repeat until completed.
No it isn't automated and brief attacks would be tough but that the
state of things and it has been sufficient. You typically need to go
through one or two providers and then a site or campus and maybe
department before getting to the source machine.
I've only been rarely and mostly peripherally involved in followup but
I do remember a number of other providers being extremely cooperative
to the point of physically moving workstations to act as sniffers,
though they did need to set up monitoring to trace things further.
I seem to remember a number of cases that were traced as being
recurring cases of badly broken software rather than attacks, like
boxes that didn't like multicast and crashed and spewed garbage. This
latest incident could be the same.