Someone keep attacking my server, but unfortunately I've switched my OS to the FreeBSD, as I've earlier used Debian 5.0 Lenny, and none of netstat or tcpdump commands I used on Debian, works on FreeBSD.
So how can I detect attacker IP address so I could block this guy in the firewall?
By definition/design... a DDoS is not coming from a single IP address. DDoS = Distributed Denial of Service. In short... a large bot-net is typically used to attack a single target, being controlled by a single attacker that potentially could be anywhere in the world. Unfortunately, simply blocking the IPs of the attacker's bots will not solve your headaches. In many cases, your "smaller" internet connection simply cannot keep up with the HUGE amount of traffic generated by such an attack. Even dropping the data coming in, your bandwidth was still consumed. In those instances, your headaches go away when the attacker discontinues his attack. Such an attack must be dealt with by your ISP in order to do anything about it.
Whilst not the answer you might be looking for, I think what you are trying to do is going to be unmanageable.
If your system is exposed to the internet, it will get attacked. It might be coming from 1.2.3.4 today, but if you block that address, it could be 2.3.4.5 attacking you the following day. You will end up with a massive unmanageable list of IP addresses that are likely to be dynamically assigned anyway.
Instead of blacklisting "bad" IP addresses, why not use a default deny all rule, and whitelist good IP addresses and services that you do actually want to expose to the internet?
Attackers also often use spoofed adresses. Probably what you are looking for is sockstat.
There also is the accf Kernel module, which might help you depending on what your applications are.
I'd also recommend using pf. You could build something along the lines of:
Stateful Tracking will be your friend