I pinged every IP address that wasn’t reserved. The image is 8k by 8k and is re-encoded as an AVIF to be friendlier to mobile devices. Like every other survey done, it is using a Hilbert Curve to convert the linear address space to a contiguous 2d space. The hotter the colors (blue is coolest), the denser the ping responses were.

(If you are interested the full-resolution pyramidal-tiled TIFF can be downloaded and viewed in QuPath on desktop. I’ve also compressed the ping response data into its own format down to about 150 MB. PM me for a link)

Non-proxied image

Here is a 2006 survey to compare.

Some observations: Big Tech (USA) is in the top left. US government allocations, for the most part, did not respond to any pings. And maybe you didn’t realize this before, but Multicast (Class D) & Class E consume a whopping 12% of the IPv4 range.

  • 4 hours

    It’s interesting how certain companies and organizations have such large ranges, 16m IP’s each for both that old printer company and a farmaceutical company is a lot. It really shows the history of the internet and how seemingly certain companies that adopted it first ended up with huge chunks of the available IPv4 space.

    • Or more specifically, what is the sum of all latencies divided by the number of responses times the total numer of requests sent (to scale up for the ones that didn’t reply, assuming their average latency would have been similar to the total average)?

  • Exactly the same thing had been done in this very interesting video I had watched some time ago. Did you get the idea from there?

  • Nice! Now do the same for ipv6 :p

    Any way to determine/estimate if the black squares are unused blocks (“give them back!”) or just not responding to pings?

    • This was a ping scan, so it wasn’t probing any TCP/UDP ports (see shodan.io). I suppose you could use ICMP control messages (Destination Unreachable) to determine if something was unused, but that assumes the other side is being friendly.

  • Forgive me if this is an ignorant question. How did you do the incremental address to address search? In my head I would start with “000.000.000.000” and then “000.000.000.001” and so on but that doesn’t account for the “000.000.000.1” scenario, or any combination thereof.

    • Python code:

      results = {}
      for ip0 in range(256):
        ip0_str = to_str( ip0 ) + '.'
        for ip1 in range(256):
          ip1_str = ip0_str + to_str( ip1 ) + '.'
          for ip2 in range(256):
            ip2_str = ip1_str + to_str( ip2 ) + '.'
            for ip3 in range(256):
              ip_vector = [ ip0, ip1, ip2, ip3 ]
              ip_str = ip2_str + to_str( ip3 )
              results[ ip_vector ] = ping( ip_str )
      

      Might look a bit nicer using format strings instead. That map will contain on the order of 4 billion entries (one for each value of 2³²), and the actual size will depend on what format the ping function returns, 4 bytes for each key (optimized from my initial version that used the IPs as keys), plus all the internal structures for the map like key hashes and the hash table itself. Ie, this takes more memory to run than viewing OP’s full sized image and I wouldn’t suggest running it with less than 32GB of RAM. Though it would take less memory if it generated the image directly or at least making the keys implicit (which the image does, as they are encoded into the x, y coordinates rather than stored).

      Edit: Let’s look at runtime, too, because why not. Assuming every single IP responds in 0.01 seconds (they’ll take longer, especially the ones that time out instead of respond), rounding the total to that nice 4 billion number get us 40 million seconds. An hour is less than 4000 seconds, so it would take over 100 hours to run this script.

      Though it could be parallelized, since you can ping many targets at once. Not sure what the maximum number of pings you could have in flight is, but whatever it is, you’d be much better off using a script that did like 80% of that (to leave some margin for the rest of the system to use, also ISPs might not be happy with you maxing out your ICMP traffic).

    • The “.” are just separators. Each segment is a number from 0-255 (1 byte). So you hold three segments static (e.g. 10.10.10.x) and then increment the last segment from 0-255 (so 10.10.10.0 -> 10.10.10.255). Then the next segment increments (10.10.11.0 -> 10.10.11.255).

    • Essentially, IPv4 addresses[2] are just numbers from 1 to 2147483647, for example 3405804031. However, since address routing is often based on common binary prefix, more intuitive methods like 203.0.113.255 are used. This notation is just a length-4 list of integers from 0 to 255. To convert from an integer to a common IP address, you divide-with-remainder with a constant divisor of 256. For example, 3405804031 /% 256 = (13303921,256), 13303921 /% 256 = (51968,113), 51968 /% 256 = (203,0), and 203 /% 256 = (0,203).[1] Collecting all the remainders in reverse order, then joining them with periods, produces 203.0.113.255. (This notation is just for people to read; aside from parsing code, none of IPv4 uses this notation.) When you enter an IPv4 address, the opposite happens — an expression like ((203 * 256 + 0) * 256 + 113) * 256 + 255, which evaluates to 3405804031, is performed. These octets are just numbers — using 203.000.113.255 or 203.00.113.255 in place of 203.0.113.255 is merely a choice of how to write the address, as 203 * 256 + 0 = 203 * 256 + 000. mraow

      [1]: this operation can be omitted; I include it for symmetry. [2]: though all of this holds true for IPv6, I really didn’t feel like going through 128 bits of address

    • 12 hours

      Writing it out like 000 is just a convention. .1 is the same as .001. They are actually hex numbers from 0 to FF.

        • 10 hours

          What communicates what they need to know at the level they’re at? I can get technical about octets and bounded decimals, or I can give a simple answer that puts those values into a familiar context.

              • I mean - they are “numbers”. Numbers are not in hex or decimal. Saying “they’re really hex numbers” is not just wrong it’s kinda meaningless since ff == 255.

                You’ve explained it badly.

      • They’re supposed to be (traditionally) written in octal. Which is why they are called ‘octets’.

        • That smells a little like folk etymology to me, are you sure about that? My understanding is that since the word is older than computers and can refer to any group of 8 things, “octet” in computing just came from the need to communicate a group of exactly 8 bits given that bytes aren’t always that size.

        • 10 hours

          I could be mistaken, but I think based on the question, that would not be clarifying. I suppose I could’ve just left it as they are numeric.

          • The only possible improvement would be to mention that they are bytes - as said otherwise, representation is meaningless, but they factually are 8 bits each segment, which means they are effectively just a number between 0-255.

            Still, I think you were able to explain yourself to the other comment, so there’s that.

            • 9 hours

              That’s a valid correction and unlike the other comment provides more information rather than just “that’s technically bullshit.”

  • It would be nice to have some overlay of the two images with a difference to see what changed.

    • about a month, since I ran it at about 6000 addresses / sec checking distinct addresses 4 times (round robin) or 1500 finished / sec. This was the fastest I went to avoid silent UDP drops and to hopefully not annoy my VPS hoster too much.

      • You might be interested in ZMap: With a 10gigE connection and either netmap or PF_RING, ZMap can scan the IPv4 address space in under 5 minutes.

        • Comparison is the thief of joy 🙃

          Though if I push my scanner hard it could probably do 16k/sec on the single core and 1gig connection it is on. The problem is how reliably I could do 16k/sec over the network, since a good portion would be dropped even if the host’s hardware could keep up.

          I’d probably need access to enterprise-level equipment that could handle the routing load if I were to do it in 5 seconds lol, it’s insane they managed to do that