I have a lil' bit of experience with this so I'll chime in
first identify what kind of attack and what your intentions are (to either stop it or catch them). I suggest catching them because if they did it once they might do again.
If its coming from a single ip just block the ip in your firewall or at least in the apache config or htaccess. You can only do the apache and htaccess if its an http attack. Some attacks come from tcp and other methods.
If it's coming from scripts (on freehosts or proxies) contact all of them and try to get the attack stopped and get a copy of their log files and work your way back to the source.
To catch them first contact your local fbi. You'll probably end up needing them to get the information you need from isps and such. They can be extremely helpful.
If the attack is coming from lots of ips and they appear to be regular dsl or internet PCs than you probably have a botnet on your hands. Determine the size of the botnet and try to adjust your apache,firewall and server to handle it. Some of the botnets are made by viruses and there are literally millions of infected computers so this may all be in veign.
If so than parse through all your logs and grab the geo location of the ips. Try to identify a few local computers. If you can get a few local ones you can head down to their isps (smaller ones will be more accomidating) and tell them your situation. Talk them into getting a few of the customers contact information.
Then contact the customers and tell them how they have a virus on their computer and its been attacking your website which is why their computer has been so slow online lately. Offer to pay to have a professional repair shop in town fix up their computer in exchange for you getting to look at the virus and where it came from. Then bring their computers to the repair shops and direct them to take a 48hr log of all their netstats in both incoming and outgoing connections with all the extra startup software disabled. Meanwhile temporarily adjust your server to come as close as possible to handling the attack and if you can taunt the attacker to adjust his attack. This will cause him to resend commands to the botnet. It'll also cost him a lot of money if he hired someone to do the attack. Which will give you a good idea if he can afford to do it again. Return the computers and go through the logs.
See if you can identify some sort of website or email address that the botnet pulls its attack commands from. Once you've identified that quickly contact the fbi guys again and get a court order to get the information of the owner. From there work your way backwards till you find the culprit.
Often times, as with what happened to me, they hire so called "companies" in foreign countries who specialize in performing ddos attacks and will attack sites and servers for a price. If that's the case you're in kind of a long setback, especially if it comes from a country that is leinant on cybercrimes. All else fails though since 911 and the patriot act the fbi is in most countries and you can call the fbi in the suspects area and file a case with them. They can usually at least go kick in a door or two, comphenscate a computer or do a little interogation. Usually the person who was hired will fess up to who hired him to do the attack and you can begin the long process of getting files charged, an arrest made and the subsequent lawsuits for damages.
No matter what, if you get in contact with the attacker keep them talking. Lie through your teeth, play smart play dumb say whatever you need to say to squeeze any sort of information out of them. Either way you're fucked for the moment so don't be afraid of doing worse by taunting them. Remember the longer the attack goes on the higher the risk they're taking of getting caught.
Good luck man keep us posted.
