There are a number of laws regarding hacking a computer you don’t have authorization to hack, the CFAA in the USA, the CMA in Great Britain, the CHM in Australia, and the list goes on. All of which make it illegal to do what you want to do, and in some cases have pretty strict penalties for even the smallest of actions.
The term most often used to describe what you’re talking about is Hacking Back. It’s part of the Offensive Countermeasures movement that’s gaining traction lately. Some really smart people are putting their heart and soul into figuring out how we, as an industry, should be doing this. There are lots of things you can do, but unless you’re a nation-state, or have orders and a contract from a nation-state your options are severely limited.
There’s always an “Abuse” email address on the whois of a netblock for reporting misuse of an IP address.
You can use http://whois.domaintools.com/ to do a whois lookup to get the address.
If you are using WordPress, use Wordfence! They are really good!
Don’t play their game, you’ll lose
I’ve learned not to play that game, hackers by nature have more spare time than you and will ultimately win. Even if you get him back, your website will be unavailable to your customers for a solid week afterwards. Remember, you’re the one with public facing servers, you have an IP of a random server that he probably used once. He’s the one with a bunch of scripts and likely more knowledge than you will get in your quest for revenge. Odds aren’t in your favor and the cost to your business is probably too high to risk losing.
It’s most likely not his IP
This kind of hacking is incredibly low priority to law enforcement and the IP you have probably belongs to a server 1000 miles away from said hacker. If you are intent on getting his IP, he may have used a proxy whose purpose isn’t anonymity, if you track http headers, look for x-forwarded headers in the offending requests, those will more likely have his real IP if they’re there. Nobody bothers with chaining proxies for “fun” hacks like this. But again, don’t bother, he’s hacked you, he won, if you play his game, he will win again. Right now it’s not personal to him so the cost of a DDOS attack on you doesn’t outweigh the benefit yet.
If you must play the game
I used to setup honeypots for hackers. When one would make it into my intentionally left vulnerable server in my DMZ, I would place some fun files that look important and lead to other fun goodies that aren’t so good for a PC’s health. Now if I do setup a honeypot, it’s just a logging server with a few vulnerable ports so I am alerted of attempts on my network. That way I can watch a little more closely when it’s important.
You’re looking at this wrong
When a guy cuts you off on the interstate and you rush up to get him back, his response isn’t always going to be good for your health. Instead of getting even, think of your experience as a free security audit where the only expense was doing work that you should have done in the first place. Hackers are frustrating, but the first couple of times you have this happens will change your view of security.
You give the information you have to the appropriate authority, and then you’re done. That it. As a rule, hosting companies will not share personal information of their clients unless you are local law enforcement with the appropriate warrant or court order. It’s their liability if they do otherwise.
Don’t expect a follow-up report from them, don’t expect names or arrests or anything more than an acknowledgement that they heard you — sometimes not even that. These companies often deal with dozens of these reports a week or more. Their abuse team will deal with it, and they appreciate your assistance as they want to keep their network clean, and your report will probably trigger several days worth of activity. But they have a clear-cut policy that they follow to the letter for liability reasons, and it intentionally doesn’t include reporting back the original reporter. Nothing against you specifically.
Also, remember that though you found the hacker, It’s almost certainly not his account on the server.