What is it? The account lockout attack is an attack on the client, not the server. It causes the victim's account to be locked and inable to access it for a period of time causing disruption and if used at the right time can prove very effective.
What Sites are Vulnerable? Sites that operate an account lockout feature depending on incorrect logins in a certain period of time are vulnerable. Note this only works when the system locks the username not the attempting IP address. As otherwise all you are doing is blocking your self out. Sites employ this lockout feature to prevent bruteforce attacks on passwords, an even more severe attack.
How to Perform the Attack? There are a number of ways to perform this attack, firstly manually get the password wrong three times on a certain account. The second method is by editing the cookie, attempt one login, then find the cookie "logins_incorrect=1" or simillar, and change the value to 999, or any number above the limit. This data will then be sent back to the server and stored in the database so the user will be locked out everywhere. The third method to perform this attack is the most effective and can cause full scale DOS and disruptions if executed effectively, you can write a script to simultaniously lockout every username in the database, of course here you will need a username list but most forums and CMS's have the memberlist ready to copy. This is most disruptive when performed at the companies busiest times such as Christmas time.
Real World Examples eBay was targetted by this attack to knock the highest bidder offline in bids by logging in incorrectly three times, they were then unable to bid in the final minutes of the auction and consequently the hacker won the bid.