Blocking attack flows to protect the threatened resources is a necessary step in defending against the Distributed Denial-of-Service DDoS attacks. Two kinds of reactive packet filtering technologies have been proposed as close to victim-end filtering and close to source-ends filtering. The first scheme only involves a single Active Filtering Routers AFRs but damages the whole network bandwidth resource; another extreme scheme requires millions of AFRs and thus degrades the network transmission performance, but it has the best defense effect. A feasible scheme should use a certain quantity of AFRs to filter attack flows between the victim end and the source ends. Going one step further, in this paper, we make the first effort on studying the filtering location to maximize the protected network bandwidth while not permitting any attack flow to reach the victim. We formulate this problem to an integer linear programming problem and design an efficient heuristic filtering location algorithm. We evaluate our algorithm through integrating it into the existing filtering architecture and implementing this integration scheme on the emulated DDoS scenarios based on real-world Internet topology. Our evaluation results show that compared to the state-of-the-art source-ends filtering scheme Active Internet Traffic Filtering, this integration scheme only uses 20% of its AFRs to achieve more than 70% of its protection effect. Copyright © 2013 John Wiley & Sons, Ltd.