Denial-of-Service attacks continue to plague the Internet. Tracing an individual attack packet to its origin is an important step in defending against these attacks. For this reason, researchers have proposed several approaches for single-packet IP traceback. Packet logging is a generic technique in these methods, which results in the high overhead at routers and low traceback accuracy. In this paper, we propose a novel path-based approach for single-packet IP traceback. Our approach makes use of the routing paths to set up traceback paths, instead of packet logging, so as to improve single-packet IP traceback in several dimensions: (i) our storage overhead is only related to the number of routing paths, no matter how many packets traverse on them; (ii) the number of queried routers during the traceback process is only related to the number of hops in the attack path; (iii) the false positives in attack-path construction can be negligible. We perform extensive mathematical analysis and simulations to evaluate our approach. The results show that our approach represents a step forward in preciseness and efficiency compared with the previous work. Copyright © 2013 John Wiley & Sons, Ltd.