A method and technique for protecting against denial of service attacks includes maintaining a session count indicating a quantity of active client sessions a server is maintaining and a session threshold specifying a maximum quantity of concurrent client sessions the server can maintain. Responsive to receiving a request from a client, a request count maintained by the server is verified to be less than the session threshold and, if so, a challenge message is sent to the client and the request count is incremented. Responsive to receiving a response message to the challenge message from the client, the response message is verified, a session with the client is established, and the session count is incremented. Responsive to terminating the session with the client, the session count and the request count are decremented.