Broken Authentication - Weak Bruteforce Protection

So im doing question 2 on this lesson, I figured out the answer / how to get the answer but my question is HOW are we supposed to know to use that IP address. Did i miss something somewhere? Obviously it makes sense, since the application would never block its local address but still…From what i seen that was never explicitly taught.

How did you get an answer? I don’t know what to do anymore… I tried different addresses, but the script doesn’t find