This has probably been covered in the past but I don't remember seeing it.

It appears that my Windows 2000 servers are getting attacked by someone with a spoofed IP.

Clues:

Firewall is yelling about a SYN flood attack.
I cannot ping the IP in question.
A Tracert only gets me to a certain point.
There is no reverse lookup for the IP.
The IP in question is using a lot of different port numbers, usually rather high ones (IE 25808, 46780, 27717).

The question is what tools can I use to determine the real IP used and nail this person to the wall and get him shut down?

Any help would be greatly appreciated.

Thanks,
Stuart