How practical is it to bruteforce a 10-digit number via URL

About a day

If we're lucky: there's no throttling, we can perform each test with a HEAD request, can perform many tests on a single HTTP connection with Keepalive, and can have many concurrent connections.

In that case we're mostly limited by bandwidth. Say we craft a tight request that is 100 bytes, that means we need to send a total of 100 * 10¹⁰ bytes. And lets suppose we have a decent 100 Mbps connection, which will do about 10 megabytes per second. That would take 100,000 seconds - just over a day.

This is best case, in practice there are likely to be issues that prevent it working so fast. We could have multiple systems working simultaneously to make it faster - but at some point we'll overload the server.

Rolling a 10 digit number doesn't lake long on most systems, regardless of the script/language used. The bigger problem here is the number of connections you open simultaneously and the delay between requests. A good configured system will block too many requests that originate from the same address (either by the firewall or the daemon itself).

For example:

#!/bin/bash
for i in {1..1000}
do
   curl "www.[somewebsite].com/$i" > "${i}_out.txt"
done

You might want to thread this.

Depends on several factors.

Server side

• Server bandwidth
• Does this requested number generate a query on some database ?
• Any firewall/security script to detect this kind of activity and block it
• Any other resources that can be a bottle neck like cpu or memory.
• If you are that kind of lucky people who will try it on a server that logs are stored on a very limited file system, and this kind of activity will consume the every free byte of it making the application stop.

Client side

• Your bandwidth

My considerations regarding this activity:

First do a DNS query, and see if there is more than a server for that address. That will help, more server, more you can split the load.

Test the firewall, get a VPS and make some tests to get an ideia of your environment without blacklisting your ip address. Test some rates, 100, 1000, 10000, per second. Test the average response time for every hour of the day. If the response times changes, so your server has some time windows that receive more traffic/requests and that will be a good time to not stress the server.

With all above results you will know what to do. If the server has more bandwidth that you have, what happens almost all the time, you can get a VPS to help you, choose one near the server. You will have your plan about how many requests will be optimal to archive your solution, for example, if the servers receive more load in the morning, you can use 1000/s during the day, for example 8am to 10pm, and use as many the servers can answer during 10pm to 8am.

Just be aware that this kind of activity could lead to some services do crash or get a load so big, that it won't be able to answer the users and that can be considered a Denial Of Service attack. It can get you into some trouble because of several factors, I don't know about all countries, in several countries this kind of attack is a crime. Contact the system administrator about your intentions, before you crash any system and become responsible for a downtime.