100 to 1,000 times per second is the thing that is important to note. You would never want to log or process this type of malicious activity for 2 reasons. The goal of a DoS/DDoS attack is to overload your Server and crash your website.
1. If the hacker is NOT using a valid username then they will never be able to successfully log into the site.
2. WordPress handles this type of malicious authentication activity by returning an error instead of consuming unnecessary resources by continuing the authentication processing any further.
BPS Login Security is hooking into the WordPress authentication process and is also returning an error on this type of malicious activity.
Every time someone attempts to login to your website they are attempting to connect to your WordPress Database. This costs website resources so if someone is overloading your website resources by trying to login repetively then this will cause your website to run slower or probably just crash the site. So by ending the script with an error instead of continuing with script processing the resource cost is almost nil. If on the other hand you allowed the processing of this type of malicious activity to continue on in the script and be processed then this is unnecessary use of your Server resources and would have a negative impact on website performance. If handled completely wrong it could cause your Host to suspend your Hosting account. Therefore not allowing this type of malicious activity in the first place is the smart way to handle this.
Honestly why would you want to see or log login attempts for invalid usernames? I do not see any valid reason to do something like that. It is an unnecessary waste of your Server's resources/website resources.