Abstract-Today's Internet hosts are threatened by large scale Distributed Denial-of-Service (DDoS) attacks. The Path Identification (Pi) DDoS defense scheme has been recently proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received [1].In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack based marking and Write-ahead marking. Our scheme almost completely eliminates the effect of legacy routers in small quantities and performs 2-4 times better than the original Pi scheme with large quantities. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect IP spoofing attacks with just a single attack packet.Finally, we discuss in detail StackPi's compatibility with IP Fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi.Index Terms-Security, system design, distributed denial of service defense, DDoS.