I have heard of folks that "claim" they can trace a spoofed IP back to it's source, but I have doubts. The couple I've seen demo'd all require distributed sniffers throughout the network being monitored to tag every packet going by. Frankly... don't see that as reality across the entire Internet.

PREFACE: Following is -very much- a long shot. I know that. For the sake of the forum and trying to help, I offered the following.

However, what you can try:
- Try to work at the time of the attack in case the attacker is using dialup or drops off the net after the attack Try ping'n & resolving then.
- Take a look at TTL's of previous attacks and the current attack. While many spoofers allow for TTL spoofing, a most KS's will only spoof the IP.
- If TTL is always the same for all attacks, then your are in some luck. Probably just one person from one source. May be a compromised source, but still a single is easier for the victim.

OK... Now is where the work starts. If it's a random attack for no purpose, then you may never find the source. However, if the attacker is also trying to access your system(s) then you may find them. Hopefully you have old tcpdump or snort files saved for the weeks prior to the attack. This is an expensive option (long term storage) depending on the amount of traffic you have, but valuable in tracing history of attacks streached out over weeks of time.

From your old traffic, histogram the TTL's and tie them to the source IP. Assuming the attacker will use the same system to access your machines as all the floods. Look for suspicious activity history from any IP with TTLs similar the floods.

good luck.