I assume your instance mode is per session. You can set this value in Int32.Max if required. Be that as it may, it is good to understand the concept of WCF throttling in detail.
The value is very low to prevent DOS attacks because the WCF team wants the services to be "secure by default."
Here is a good read, check out this blog post here
Please note that these values ββare extremely low ... much lower than many people would like them to be. The thought of the WCF team was that they wanted WCF to be "safe by default" and to reduce the change in DOS attacks launched from your service. This idea may seem wonderful, but in practice causes serious problems.
In fact, you almost certainly ran into these problems if you use WsHttpBinding, which supports sessions. Why is this? the default number of sessions is 10, which first means that 10 users can access your service at the same time. However, WCF sessions are not web sessions. Unlike web sessions that are managed by the server and are usually monitored using http cookies, WCF sessions are initiated by the client proxy and do not end until they time out or the client sends an explicit request to refuse the session. The point here is, since each proxy instance initiates its session, a user who makes several requests at once can be using several sessions at the same time. Now you might think that you are safe if you do not have multi-threaded code that does such things ... but this is not entirely true. Since the user must make an explicit request to the server to cancel the session, it is possible that you leave the sessions open accidentally. People who have been working with ASMX services often do not realize that they need to close their proxy objects and the few that realize that the objects must be closed often make the mistake of considering them as disposable objects, which leads to sessions remaining open. Bearing in mind that the default value for session restriction is 10, this means that if you make ten calls to a service using WsHttpBinding in a relatively short time, you can end up blocking your service until the sessions expire.
The decision that the WCF Team created here might be puzzled. In an attempt to limit the ability of attackers to launch DOS attacks against your services, they made it much easier to carry out a DOS attack against your services. You no longer need resources to flood the server with requests so that it can no longer answer, you just need to make several calls without explicitly requesting a connection to close and the maximum number of sessions. If this value is not set, it is extremely large, you run the risk of the server refusing to accept any incoming connections, despite the fact that it scares with zero CPU usage.