In this paper, DDoS Attack Traceback and Mitigation System (DATMS) is proposed to trace the DDoS attack sources based on network performance monitoring. By monitoring packet loss rate and packet arrival rate, the routers can be traced as near as attack sources on victim flows, called Approximate Attack Entry Nodes (AENs), can be traced as near as attack sources. DATMS adopts on-line analysis instead of post-mortem analysis to reduce the trace time. In addition, the packet filter controller which adapts to queue length is proposed to mitigate the DDoS attacks. Since it is extremely difficult to distinguish attack flows and victim flows on core routers, the proposed packet filter is very simple and has lower overhead. Finally, the experimental results from NS-2 simulations show that the DDoS attacks are effectively mitigated by DATMS.