I don't see how you could do this in realtime, unless it was only a single attacker. If a DDoS hit you it would take a long time to analyze the logs and determine what sequence the attack was working on.

Even if you were adept, determining that sequence may be faster, but you'd still have to find the sources of the IP's and call the ISP's who own the IP blocks. These calls may take tens of minutes or longer on hold and whatnot. The entire time your firewall's buffer and your bandwidth is reaching critical mass.

are you saying that ISP's overseas are less responsible for malicious activities of their clients?