@LukaszOlejnik I used to be the manager of the Cloudflare DDoS protection team... and we never bothered trying to attribute an attack, it is pointless.

Even if (a big if) you could say "this machine definitely sent a malicious packet/request"... there was no way to state with confidence whether the machine was part of a botnet, or had a compromised piece of software, or a misconfiguration led to it being an open proxy.

That's before looking at the many types of attacks like UDP reflection, SYN floods, etc where the addresses are either not the attacker, or entirely made up and spoofed.

There's a (non-public) mailing list of DDoS protection people from FAANG and 3-letter agencies, and no-one would attempt to attribute... only to mitigate impact and bolster defences.

The only time I ever saw public claims of attribution around attacks were for propaganda reasons.