In　Internet　Service　Provider　(ISP)　networks,　Amplified　Reflection　DDoS　(AR-DDoS)　attack　is　one　of　the　main　attack　categories,　which　launches　gigabytes　of　traffic　with　little　effort　and　minimal　cost.　Thus,　the　mitigation　of　AR-DDoS　attacks　has　been　considered　as　a　crucial　part.　In　particular,　such　mitigation　requires　full　coverage　(i.e.,　mitigating　AR-DDoS　attacks　launched　from　any　location)　and　low　overhead　(i.e.,　mitigation　should　avoid　high　latency　that　degrades　user　experience).　However,　existing　solutions　suffer　from　either　limited　coverage　or　high　overhead.　In　this　paper,　we　propose　Aigis,　a　distributed　framework　that　offers　full-coverage　and　low-overhead　mitigation　of　AR-DDoS　attacks.　Our　key　idea　is　to　co-design　top-of-rack　(ToR)　switches　and　end-hosts,　which　offers　line-rate　packet　processing　performance　and　fine-grained　view　inherently,　to　jointly　execute　endpoint　verification.　Specifically,　Aigis　selectively　offloads　mitigation　operations　between　ToR　switches　and　end-hosts　and　implements　a　network-wide　epoch　synchronization　mechanism　to　guarantee　reliable　verification.　It　efficiently　coordinates　ToR　switches　and　end-hosts　to　execute　the　entire　mitigation　task.　We　have　implemented　Aigis　on　a　testbed　comprising　32×100　Gbps　Tofino　switches.　Testbed　experiments　indicate　that　Aigis　achieves　complete　full　coverage　and　orders　of　magnitude　lower　host-side　overhead　compared　to　existing　solutions.　©　2023　IEEE.