With the extreme popularity of Internet, network attacks emerge in an endless stream in recent years. One of the most serious attacks is distributed denial of service attack (DDoS), which easily causes large damage. DDoS attackers usually forge the source address of IP packet to hide their positions such that it is difficult to trace back attackers. To alleviate DDoS, this work takes advantage of the packet-marking method to trace the attacker’s location, as well as to detect DDoS attacks. Once detecting and locating DDoS attacks, this work initiates an overlay-network defense system to block the attacks. The basic concept of the packet-marking method is to insert some route information into rare-used fields of IP header. The insertion is based on probability. Even if attackers forges the source address of IP packet, this method can find out the attacking path by using the route information carried by the marked packets. With the attacking path, our work is also able to detect some attack packets, which have same source address but come from different far routers. Finally, this work implemented a system based on the packet marking method and the overlay-network defense approach. And this work integrated a new detection method based on packet marking into Snort. The experimental results show that our system can detect, locate, and block DDoS effectively.