A transit-link distributed denial-of- service (DDoS) attack is a special attack in which the attacker sends out a huge number of requests to exhaust the capacity of a link on the path the traffic comes to a server. As a result, denial-of- service and degradation of Quality-of-Service (QoS) occurs. Because the attack traffic does not go to the victim, protecting the legitimate traffic alone is hard for the victim. With the help of a special type of router called filter router (FR), the victim can protect the legitimate traffic. A FR can receive filter from servers and apply the filter to block a link incident to it. By analyzing traffic rates and paths, the victim can identify some links that may be congested. The victim needs to select some of these possible congested links and send a filter to the corresponding FR so that the legitimate traffic follows non-congested paths. In this paper, we formulate an optimization problem for selecting the minimum number of possible congested links so that the legitimate traffic goes through a non-congested path. We consider the scenario where every user has at least one non- congested shortest path. We transform the problem to the vertex separation problem to find the links to block. We build our own Java multi-threaded simulator and conduct extensive simulations.