DoS attacks remain a most serious threat to the Internet currently, how to mitigate DoS attack is still an open issue. Besides, the current Internet faces serious scaling problems, and locator/identifier separation is widely recognized as a most promising solution for the future Internet. To block DoS attack traffic in network with locator/identifier separation, we propose a network layer defense system called BlockDoS. BlockDoS expands the mapping entries of the mapping system to store the block information, and enables any DoS attack victim to actively request the network to block unwanted traffic at tunnel routers. We implement a prototype of BlockDoS. The analysis and experiment results show that BlockDoS can block multi-million attackers’ traffic within tens of minutes, and the computing and storage costs added by BlockDoS won’t affect the performance of the mapping servers and tunnel routers.