In this talk, I will describe a capability-based network architecture that can effectively fend off DoS attacks. Capabilities transform a destination's access control policy to network filtering actions. A destination grants capabilities to legitimate users. These users send packets with valid capabilities. Network filters traffic based on capabilities, thereby shielding the destination from unwanted traffic.