logging hostnames instead of IP addresses is a potential weak points in identifying attacks

["Ventsislav Genchev" <vigour1 () gmail com>]

So far I had no worries identifying sources of brute force attacks,
but today I saw a very strange, at first look, record:

---
vsftpd:
    Unknown Entries:
       check pass; user unknown: 79167 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp
ruser=Admin rhost=. : 28628 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp
ruser=Administrator rhost=. : 28598 Time(s)
----

Note the empty rhost.


After a short investigation (looking at some other server's log files
and dumping traffic) I realized that the source of those login
attempts was an IP address with the following reverse record:

2.109.90.66.in-addr.arpa domain name pointer .

(actually an empty reverse)

If I hadn't access to other log files or the attack is not present at
the moment, I would not have been able to locate the source.
So any kind of hostname logging (at least according to me) is a weak
point of identifying attacks of any kind and should be avoided.


If any of you guys have similar experiences and/or
solutions/workarounds, I would be very glad to read your lines.


Best wishes,

Ventsi