Defense mechanisms against distributed denial-of-service (DDoS) attacks usually mitigate the attack by filtering out the excess traffic targeted at the victim. These defenses should be able to discriminate the attack from the legitimate traffic so that filtering can be selectively applied. The problem is exacerbated when spoofed addresses are used in attack packets. This paper proposes traceback-based distributed packet filter (TDPF), a novel distributed packet filtering mechanism that employs IP traceback as a means for traffic discrimination. In this defense mechanism, packet filters are relocated to the routers nearer the attack sources whenever the traceback algorithm adds such nodes to the attack tree. The filtering probabilities at packet filters are also dynamically adjusted to the volume of traffic the victim receives from each filtering router. In this way, TDPF is able to achieve a high throughput of legitimate traffic while blocking malicious flows. The burden it imposes on a participating router is negligible as well. Moreover, unlike the earlier traceback-based defenses, it can defend against intense DDoS attacks. Experimental results show that TDPF is effective in different attack scenarios. Copyright © 2013 John Wiley & Sons, Ltd.