The threat of denial of service flooding attacks in the Internet is rapidly increasing. Especially the use of techniques that allow attackers to hide their attack traffic raises concerns: attack distribution and rotation in botnets to obfuscate senders, low-rate bandwidth attacks, and attacks that mimic realistic patterns such as flash crowds. The defense against such attacks is limited due to a deadlock: the attacks must be stopped inside the network, but the network is unable to distinguish legitimate and unsolicited traffic. In contrast, end systems may distinguish legitimate users from bots, but are unable to stop the attacks inside the network. This paper advocates for a joint end system-network defense to address such attacks in the future. Edge-based capabilities (EC) is a novel framework that combines end-to-end authentication with network-based control. Applications authenticate legitimate senders and issue capabilities to tag their packets, and the network filters out untagged packets. This paper describes the mechanisms that make EC a secure, efficient, and scalable solution. Moreover, we argue that EC is an attractive solution because it can be incrementally deployed and because it provides the right incentives to users, servers, and ISPs.