The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet, causing the defense against Distributed Denial of Service attacks to become one of the hardest problems on the Internet today. Previous solutions for thimany reasons this requirement is impractical and the victim results with an approximate location of the attacker. Reconstruction of the whole path is also very difficult due to the sheer size of the Internet. This paper presents lightweight schemes for tracing back to the attack-originating AS instead to the exact origin itself. Once the attack-originating AS is determined, all further routers in the path to the attacker are within that AS and under the control of a single entity; which can presumably monitor local traffic in a more direct way than a generalized, Internet scale, packet marking scheme can. We furthermore, provide a scheme to prevent compromised routers from forging markings.s problem try to traceback to the exact origin of the attack by requiring every router