In a denial-of-service (DoS) attack, the attacker sends out a huge number of requests to exhaust the capacity of a server. The victim cannot serve incoming requests and then DoS occurs. When the attacker stops sending requests, the victim gets back to working state. The most devastating distributed DoS attack is performed by bots, malicious programs that reside on the affected user computers. By using a special type of router called filter router (FR), the victim can protect itself. A server needs to send filters to FR for blocking attack traffic. A filter blocks both attack and user traffic which are destined for the victim at the FR. The victim needs to select a subset of FRs wisely to minimize the blockage of users. The victim's operation is not hampered if the total incoming traffic does not exceed its capacity. In this paper, we formulate a problem for selecting FRs given a budget on the number of filters. The problem considers that the victim has limited incoming bandwidth and we provide an optimal dynamic programming solution. We conduct extensive simulation in different settings. Our simulation results strengthen support for our solutions.