In this work, we introduce the Catch-22 attack, a distributed denial-of-service (DDoS) link-flooding attack that exploits real-world limitations of DDoS defense. An attacker in the Catch-22 attack leverages virtual private server (VPS) providers and residential proxy services as vehicles for assembling a botnet, and employs moving target attack techniques to not only maximize the amount of strain on DDoS defense, but also maximize the amount of collateral damage incurred by attacked networks, thereby wreaking havoc on wide swaths of the Internet. In fact, according to our preliminary evaluation, the Catch-22 attack can cause significant collateral damage to over thousands of websites from a major VPS provider. To the best of our knowledge, no existing work has yet to present a solution for such an attack, let alone study it.