The IP Multimedia Subsystem (IMS) is being deployed in the Third Generation (3G) networks since it supports many kinds of multimedia services. However, the security of IMS networks has not been fully examined. This paper presents a novel DoS attack against IMS. By congesting the presence service, a core service of IMS, a malicious attack can cause chained automatic reaction of the system, thus blocking all the services of IMS. Because of the low-volume nature of this attack, an attacker only needs to control several clients to paralyze an IMS network supporting one million users. To address this DoS attack, we propose an online early defense mechanism, which aims to first detect the attack, then identify the malicious clients, and finally block them. We formulate this problem as a change-point detection problem, and solve it based on the non-parametric GRSh test. Through trace-driven experiments, we demonstrate that our defense mechanism can throttle this DoS attack within a short defense time window while generating few false alarms.