Ah, so he's paying someone else to do it. By "bought a script" I assumed you meant paid for a bit of JS then just ran it, which definitely wouldn't have been right!I know he has bought scripts to do it. I have seen them. He bought it with his parents' credit card. I can't report him and they can check their card history? He pays about $12 a month for it.
As root said above, report him to the police and try and be patient whilst their investigating. I'd also continually lobby your ISP - they may act eventually, it's not in their interest for one of their clients to be DDoSed either since unless you're on a low contention ratio it's going to eat into other people's bandwidth like crazy.