... is part of the problem
I run a website small enough that I (perhaps foolishly) get an email for EVERY failed http request. This makes it easy for me to spot patterns of failed hacks and even build some automated detection of hack attempts into my system. I have had LIMITED success with reporting the hack back to the machine owner. I do this because I figure, either A) it's almost always a compromised machine and therefore unfair and unhelpful to try to hack back, or B) a rogue admin is using company hardware to launch attacks in the off-hours. Either way, the company is made aware that their assets are being abused, and will hopefully have the smarts to fix it, and in the case of "B", the admin has probably lost their job and doesn't know which site reported his abuse, which in turn improves my chances of not getting a retaliation attack later. I'd guess that 95% of all attempts on my system are from compromised systems, and of those, 90% are script kiddies... always trying to access phpMyAdmin, wp-login, or some other randomly psudo-important folder such as
/login. In the rare cases where the server appears to be out of country, or not owned by a recognizable company, I simply opt for the ban-hammer. I ban via database rather than the router because I don't have access to the router... which is nice because it lets me dream about formulating plans for some XKCD
Point is: Reporting the abuse will likely not net an arrest let alone fame and glory, but if enough people are reporting the abuse, someone will take notice and do something about it. Also, no matter how you slice it, reporting the abuse through the proper channels decreases the odds that the hacker will KNOW it was you who reported the abuse, and now people with better tracking skills that myself are working on it.