At the University of Alberta we've experienced a full DOS of our Moodle Installation.
We've tracked the root cause to be related to the aggressive session locking used in the database_session.
Incident cause was discovered to be a single user who held down refresh in their browser.
We are able to reproduce this on any base install of Moodle 2.4.x
We were able to partially mitigate non-authenticated and guest users using the CFG->sessionlockloggedinonly flag, but this does not help against authenticated users.
We're currently investigating a few strategies to resolve this including changing the session's locking mechanism to a shared advisory lock in combination with rate limiting, wrapping the session object assignments with lock/unlock calls.
We're wondering if there is a fix in the works or not, if so where can we find it, as were currently at the mercy of every single user in our system.
Moodle 2.4.5, php 5.3.10, postgres 9.1.9