I know he has bought scripts to do it. I have seen them. He bought it with his parents' credit card. I can't report him and they can check their card history? He pays about $12 a month for it.
Ah, so he's paying someone else to do it. By "bought a script" I assumed you meant paid for a bit of JS
then just ran it, which definitely wouldn't have been right!
As root said above, report him to the police and try and be patient whilst their investigating. I'd also continually lobby your ISP - they may act eventually, it's not in their interest for one of their clients to be DDoSed either since unless you're on a low contention ratio it's going to eat into other people's bandwidth like crazy.