It is easier to detect a DDoS attack near the victim but it is of little use to do so. Many researchers believe that it would be best to handle DDoS attacks closer to the computers which host these attacks and have propounded various strategies for packet filtering at edge-routers. This paper makes three contributions over earlier work. First, we propose that it is best to track illegitimate packets suspected to cause a DDoS at the source computer itself. Secondly, we come up with a secure and efficient implementation (ADVOS: Anti-DDoS Virtualized Operating System) for packet filtering at the source computer itself. Security dependency on the integrity of the source operating system is removed by using virtualization to isolate the modules providing the protection capabilities. Different models of traffic characterization could possibly be used in curtailing malicious traffic, we justify the effectiveness of symmetry based model at source computers. Thirdly, we demonstrate that such an anti-DDoS operating system using virtualization can be implemented practically and efficiently. In our prototype over native Linux system 2.4% overhead was observed in the attained network throughput. Less than 1% of the total attack traffic generated was allowed to pass through on attack. Finally, we discuss the scalability and deployment issues for ADVOS.