Regular warrants given after the attack (to get records or add logging and records) and no pre-existing logging on the network (enforced on providers, or done by a central entity with or without legal permission) makes it really hard to track down attacks which are short-lived, highly mobile, etc.
I'm not sure where the current, ideal, and historical tradeoffs have been for this.
