This article in Scientific American does a nice job of describing why it is difficult to track attacks back to their true origins. This essay by Bruce Schneier goes farther arguing that it is fundamentally impossible to create an Internet without anonymity.

The core point of both articles is that identifying the computer that a given packet came from is not the same as identifying the sender. The computer could be a server set up to enable anonymous communications (like Anonymizer.com), it could be a compromised computer (like part of a botnet), or even a server run by the attacker purchased using pre-paid or stolen credit cards.

Whatever the mechanism, it will always be possible for attackers to hide their identities and activities. The real question is the degree to which we are willing to design the Internet to make tracking and monitoring of citizens easy for repressive regimes.