Denial-of-service attacks present a serious threat to the availability of online services. Distributed attackers, i.e. botnets, are capable of exhausting the server capacity with legitimate-looking requests. Such attacks are difficult to defend against using traditional filtering mechanisms. We propose a machine learning and filtering system that forms a profile of normal client behavior based on normal traffic features and, during an attack, optimizes capacity allocation for legitimate clients based on the profile. The proposed defense mechanism is evaluated using simulations based on real-life server usage patterns. The simulations indicate that the mechanism is capable of mitigating an overwhelming server capacity exhaustion DDoS attack. During attacks where a botnet floods a server with legitimate-looking requests, over 80 percent of the legitimate clients are still served, even on servers that are heavily loaded to begin with. An implementation of the mechanism is tested using synthetic HTTP attack traffic, also with encouraging results.