Distributed Denial-of-Service (DDoS) attacks continue to pose a significant threat to the availability of Internet services, which are increasingly poorly equipped to face the growing scale and frequency of such attacks. Moreover, since attackers continue to discover and quickly exploit new attack vectors, the variety of DDoS attack types continues to grow, posing yet another obstacle to those seeking to defend against these attacks. On the other hand, in the midst of an ongoing DDoS attack, the victim of the attack has the unique advantage of having the most knowledge about the specific traffic patterns present, which the victim can leverage to generate highly effective traffic filtering rules. Herein we first identify and describe a fundamental trade-off that exists between a set of rules' coverage of attack traffic, potential collateral damage, and resource consumption. We then describe a systematic method by which a DDoS victim may generate traffic-filtering rules while adhering to the victim's constraints, thereby allowing a highly individualized defense to be deployed. Our proposed method relies on a unique tree-based data structure along with a set of heuristic algorithms for efficiently generating rules in real time. We evaluate our rule generation procedure via simulated replay of three real-world DDoS attack traces, and show that we can generate rules with high efficacy towards filtering DDoS traffic, while satisfying the victim's constraints.