So I logged in this morning and someone had DDoSed me. Luckily it only affected one of my five servers. The guy didn't even dare to delete the list of zombie servers he used to DDoS me from my logfile, but changed his IP address.
Is there a way I can trace back to him? Is the nmap analyzer built in a way that I can use it on his zombie servers to find his new IP, or it'll only log people connected as root?
No, you can not find him.
When you get a new IP address from the ISP, there is no link between the old and new IP. There is no way to get the new IP address from the new address. That is what the IP reset is for: giving you a fresh start.
Onto Lars's answer, in general no.
But if the guy was stupid enough to upload and install a virus onto your server, then his next DDoS attack would be logged on your server.
Secondly, if you still have the list of IPs from the DDoS result, try going on one of those IPs and check thier logs and see if that same guy DDoS'd someone else.
And I have no bet he is going to come back and DDoS you again.
Generally, if there is a long list of zombie servers, they will not go to all of them and delete their IP from all of them. It should say, on one of the IP's, "DDoS attack against (your IP) initiated by (their IP)" if I am not mistaken. But if they are on popular servers, such as someone who doesn't understand the importance of log deleting/altering, or on NPC servers, it is possible people just go on and delete all of the logs when they log on instead of just theirs. Please correct me if I'm wrong, but i believe that is how someone tracked me after I DDoS'd them.