First off, I'd say that denial of service attacks are probably better handled at the firewall than in the application code (and as such gets pretty far outside my comfort zone in terms of knowledge).
That being said, the user can't touch the actual session data, as that is stored on the server. They could, however, keep clearing the session cookie so that the app creates a new session, though that would then assume they would need to call the initial page again so that it would create a new token or whatever that is tracked in the session data. If you really feel you need to handle such a situation, then you're probably limited to IP address tracking, with the problems that can create (different users coming from the same IP, e.g.).
Maybe you could throttle requests by the above tracking of requests in $_SESSION, and as the number increases, start adding proportional delays to responses? Or maybe just track the time of the last request, and if the difference is less than some arbitrary amount, inject a delay of a couple seconds?
But if some script kiddie feels the need to swamp your server, I do feel you're getting into something that's more firewall and network related than application code related.