Cloud services are attractive with their advocated technical and economic advantages of transparent resource access, scalability, elasticity and multiple others. However, Cloud services also suffer from multiple infrastructure and application-level threats, with the application-layer distributed denial of service (DDoS) attack being one of the harder ones to mitigate. These attacks typically block the targeted servers by consuming the available resources to result in performance degradation along with the reduced availability of services. While some existing schemes (e.g., intrusion detection/protection) are effective for selective attacks, the evolving application layer DDoS attacks are often able to bypass them. We address this problem by proposing and validating a novel and efficient methodology, termed SENTRY, that specifically aims to mitigate application-layer DDoS attacks. SENTRY utilizes a challenge-response approach that: (a) analyses the attackers physical bandwidth resources, (b) dynamically adapts to the varied work load scenarios, and (c) blocks suspicious service requests from dishonest clients. © 2016 IEEE.