We blocked and have identified the student - we are trying to contact her to sort this out. Now that I have her details I can see her logs in Moodle - nothing malicious here. I couldn't find her with `lastip` because this is a laptop, and the last IP she logged into Moodle with, was not the IP hitting the server. (Trying to select the IP from logstore_standard timed out).
I think Chris hit the nail on the head above, "We see things like this in our logs. It is usually a user whose session has expired, but has a tab open with a PDF in it. Because the PDF reader does not know how to get redirected to the login page, there is an impasse. This caused merry hell..."
According to the logs she opened the offending file on 30 Jan. It appears that since then, every time she unlocks her laptop it whacks away at the server.
And this is happening with many users.
[MDL-42435] mentions the CFG->sessionlockloggedinonly flag helping with non logged in users - but I can't see this in the 3.3 config-dist.
I think I will have to get mod_evasive in place. Fast.
Thank you for all your help