Traceback schemes aim at identifying the source(s) of a sequence of packets and the nodes these packets traversed. This is useful for tracing the sources of high volume traffic, e.g., in Distributed Denial-of-Service (DDoS) attacks. In this paper, we are interested in Probabilistic Packet Marking (PPM) schemes, in which intermediate nodes probabilistically mark packets with information about their identity and the receiver uses information from several packets to reconstruct the paths traversed by these packets. The main idea of the paper is a network coding-based approach that marks packets with random linear combinations of the router ids instead of individual router ids. We show that this approach decreases significantly the number of packets required to reconstruct the attack paths. We also show that it is implementable in practice using a small number of under-utilized bits on the IP packet header; our proposed practical scheme optimizes the tradeoff in the bit-budget allocation, naturally raised by the network coding marking approach, and reconstructs the attack graph with low computational complexity, high accuracy and low delay. We also combine the network coding marking approach with adjusting the marking probabilities of different routers and show that this further improves the performance. Along the way, we accurately model the performance of our proposed as well as of prior PPM schemes based on the coupon collector’s problem with unequal probabilities. We show the significant benefit of our proposed schemes through comparison to several baseline schemes, under the same bit-budget, and considering various attack topologies. The ideas of network coding-based marking and adjusted marking probabilities are orthogonal to and can be combined with several existing PPM schemes to improve the overall performance.