With each new DDoS attack potentially becoming a higher intensity attack than the previous ones, current ISP measures of over-provisioning or employing a scrubbing service are becoming ineffective and inefficient. We argue that we need an in-network solution (i.e., entirely in the data plane), to detect DDoS attacks, identify the corresponding traffic and mitigate promptly. In this paper, we propose the first distributed in-network defense architecture, DIDA, to cope with the sophisticated amplified reflection DDoS (AR-DDoS) attacks. We leverage programmable stateful data planes and efficient data structures and show that it is possible to keep track of per-user connections in an automated and distributed manner without overwhelming the network controller. Building on top of this data, DIDA can easily detect if unsolicited attack packets are sent towards a victim within an ISP network. Once an attack is detected, the routers at the network edge automatically block the malicious sources. We prototype DIDA in P4. Our preliminary experiments show that DIDA can detect and mitigate 99.8% of amplification attacks containing 7, 000 different sources while requiring less than 1% of the memory of current programmable switches.