Because the Internet has been widely applied in various fields, more and more network security issues emerge and catch people’s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researches have proposed a lot of traceback schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. But packet logging inevitably requires much storage on routers. Some use packet marking for traceback. It does not need much storage on routers, but it collects large amount of attack packets. Others combine packet marking with packet logging and therefore create hybrid IP traceback schemes demanding less storage but requiring longer search. In this paper, we propose a new hybrid IP traceback scheme that uses 16-bit marking fields and requires only 1 packet for IP tracking. Our performance analysis shows both MORE’s and MRT’s storage requirements, computation loads, false positives and false negatives all grow with the packet numbers. Although our scheme’s storage requirements and computation loads are slightly higher than RIHT’s, we do not have fragment issues and drop issues in our packet re-assembly. Because RIHT uses 32-bit marking fields, it inevitably suffers from the two issues and its false positive rates increase with the packet numbers. Our traceback scheme is the only one that is not affected by packet numbers. Our simulations prove that our scheme not only requires low storage and low computation but also achieves 0 false positives and 0 false negatives.