Is there ANY chances fight against spoofed IP`s?
Not really on your side, unfortunately. You can exclude large portions of the possible IPv4 address space as they are reserved -- there's a list on the same FTP site as the definitive assigned port listings, but I'm not sure how accurate it actually is.. -- but the attacker can still pick valid IP addresses at will that you don't want to simply deny access to your server. The only real way to stop spoofing is for everyone to perform egress filtering to stop spoofed packets from leaving one's network. If I've got 1.2.3.4/24 assigned to me, then only packets with a source address of 1.2.3.0 through 1.2.3.255 should be allowed to leave my network (actually those two probably shouldn't, but anything between them should). This is something ISPs should do as well and that's where you could perhaps succeed.
Its surely one way call, however, server is very vulnerable to this. What if such guy gets on leased line - not on dial-up. He could make 100 calls/second with almost no chance to trace.
What if he uses a DDoS with many well-connected zombies? You are right, you are experiencing a real problem. But unfortunately, you can't solve it on your end, you need the cooperation of his ISP, I'm afraid.
Is there any tool to block/recognize/delay/check for spoofed IP`s?
Well, if they're not actually assigned or are unused at the time, they won't respond to the SYN/ACK packet your server sends back to it and the connection will time out after a while. However, this causes resource consumption on your server, as the half-open connection is kept in the TCP state table until the timeout expires. Perhaps that timeout can be reduced. However I'm not sure if that is your problem or if the packets are saturating your link to your ISP. In the latter case, there's nothing you can do. The packets would need to be dropped before they reach your suspectedly small pipe, i.e. at his ISP or at your's. Of these two, only his ISP can effectively (and easily, for the matter) identify the spoofed packets, so that's the natural point where the operation should take place.
Maybe those spoofed packets could be logged on he`s ISP`s gw router? (I think i know which ISP`s service he`s using)
If his ISP is using Cisco routers, then a simple ACL (access control list) such as: access-list 1 permit 10.20.30.0 0.255.255.255 interface BRI0 ip access-group 1 in would allow the subnet 10.20.30.0/24, which I assume him to have, into the router and the implicit deny rule would drop anything else.
Still i cant understand why that router routes such packets becouse none of them belongs to that network. I`m not a big expert in routing, but its seems weird to me.
It's very unfortunate from a security point of view and the only argument against the egress filtering on their border routers (or those that border their 'peering transit zones') is the hit in performance associated with access lists. However, people like your friend can happily abuse the absence of filtering and create illegal packets that cause load on the ISP's equipment as well... Good luck Tobias