In this paper, we present the design and implementation of OTP-DEF, a kernel extension to protect web servers against application layer DDoS attacks. OTP-DEF provides authentication by using OTP-based tests, which is different from other systems that use graphical tests. First of all, according to the load of web server, an OTP-DEF web-server should fall into one of three following modes: normal, suspected attack or confirmed attack mode, and the OTP-DEF authentication mechanism shall only be activated when web-server is in suspected attack mode. Secondly, we use OTP as our puzzle, which can automatically change at the certain time interval. It makes our proposal can defend socially-engineered attack, copy attacks, replay attacks and Brute-Force Attack. Thirdly, OTP-DEF uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the puzzles. These machines are zombies because their intent is to congest the server. Once these machines are identified, OTP-DEF blocks their requests, turns the tests off, and allows access to legitimate users who are unable or unwilling to solve tests. Finally, OTP-DEF requires no modifications to client software.