re: China Hack Attacks: Play Offense Or Defense?
Unlike other readers, I can speak with a bit more insight, since we've been under a cyber attack since last December.
I agree with John, in that your system should be as near hack-proof as you can make it. To date, not a single attack vector has succeeded, so we must have done something right.
We minimise the impact on ourselves, by getting our IDS to immediately generate a new firewall rule, for every identified hack attempt. It also generates an email to the ISP, identifying the IP address of the attacking zombie, and a clue as to where to find the malware (eggdrop bot/psybnc).
Our offence strategy, if you can call it that, is in the form of an abuse file, sent back by apache, containing 1500 lines of 'Attempted Abuse' messages which, at least, delay the next line of the hack script, long enough for the firewall to be in a position to stop it. For good measure, the last line of the abuse file is a series of ANSI escape codes, designed to screw up any ANSI terminal running a script.
Having had little joy from communicating with CERT, in the 51 countries from which attacks are emanating, we recently contacted SANS and, at least, get the impression that they know what they're doing.