With a DOS attack, you can generally call the ISP of the source and get them cut off. This becomes infinitely more difficult in the distributed scenario
I don't see how you could do this in realtime, unless it was only a single attacker. If a DDoS hit you it would take a long time to analyze the logs and determine what sequence the attack was working on.
that's exactly what i said. DOS is a single source attack. DDoS is multiple source. A DoS would be possible to cut off, a DDoS would be impossible