The web server will quite happily let an IP call the same script 20,000 (or 20,000,000) times, as it doesn't have any way of telling the difference between a brute force attack and an application that just gets a lot of use. This is why the locking logic is built into the application, the application is the only point that knows the difference between a legitimate request and an invalid login attempt.