One of the major problems faced by Internet hosts is denial-of-service (DoS) caused by IP packet floods. IP routers respond to overload by dropping packets arbitrarily, contrary to the goals of the host. We believe that hosts -- not the network -- should be given control to respond to packet floods and overload. In particular, hosts would benefit from fine-grained control over how routers process the packets addressed to them. We show how hosts can defend themselves against packet flooding attacks by (i) protecting the traffic of established connections, (ii) isolating an attack on one service from other services, and (iii) limiting the rate of new connections. We present two solutions that give hosts these defenses in the network -- one is based on the Internet Indirection Infrastructure, and the other is an IP-based solution.