> I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.
No, at this point the machines are most likely 'innocent' and are just running exploitable services (usually NTP, DNS, or chargen). Despite widespread knowledge of the vulnerabilities of these protocols ( http://openresolverproject.org/ http://openntpproject.org/ ) getting people to actually fix their systems is hard. Since the systems themselves aren't compromised, investigating each one is not really a good use of your time.
These attacks rely on the ability of the attacker to spoof IP addresses. Tracking down the sources of these spoofed packets would be more useful, but this requires the cooperation of the transit providers. It will also lead back to providers that make money by allowing spoofed traffic in the first place. Ecatel is the well known one right now, they are very popular in the 'booter' business.
