TCP/IP 102

William Favre Slater, III

October 16, 2024
 Agenda
• Introduction
• The Beginning
• TCP/IP Protocol Suite
• IPv4 Address Space & the IPv6 Address Space
• IPv4 Address Classes
• CIDR
• Name Resolution
• TCP/IP Utilities
• ICMP
• WireShark
• Common TCP and UDP Port Assignments
• IPv4 Address Exhaustion
• IPv4 Address Generator Dr. Vint Cerf and Dr. Robert Kahn
• Carna BotNet IPv4 Census of 2012 Each Receiving the Presidential
• IPv4 vs. IPv6 Medal of Freedom in 1998
• Conclusion from President Bill Clinton
• Questions
for their Accomplishment of
Inventing TCP/IP and the Internet
• References

TCP/IP 102 - William Favre Slater, III - Page 2

October 16, 2024
 Introduction
• TCP/IP is the set of network
protocols that make the
Internet work.
• TCP stands for Transmission
Control Protocol.
• IP stands for Internet Protocol.
• These two protocols were
developed by Dr. Vinton Cerf
and Dr. Robert Kahn.
• This presentation picks up
from where TCP/IP 101 left
off.
TCP/IP 102 - William Favre Slater, III - Page 3
October 16, 2024
 The Beginning
• IEEE 1974 Paper on Packet Switched WANs published by Dr. Vint Cerf and Dr. Robert Kahn.

Source: Cerf, V. & Kahn, R. (1974). A Protocol from Packet Network Intercommunication. IEEE Paper.

TCP/IP 102 - William Favre Slater, III - Page 4

October 16, 2024
 The Creators of TCP/IP
Dr. Vinton Cerf
Senior VP / Internet Evangelist
at Google
Charter Member of the Internet
Engineering Task Force (IETF)
Former Chairman of ISOC
Chairman of the Internet Societal
Task Force (ISTF)
Former Chairman of ICANN

Dr. Robert Kahn

President, Corporation for
National Research Initiatives - which
assists in leading and funding the
National Information Infrastructure

TCP/IP 102 - William Favre Slater, III - Page 5 Page 5

October 16, 2024
 The Creators of TCP/IP

Dr. Vinton Cerf

Dr. Robert Kahn

TCP/IP 102 - William Favre Slater, III - Page 6
October 16, 2024
Creating and Testing the Modern Resilient Internet
Vinton G. Cerf, who is revered as one of the Internet's creators,
says that, theoretically, if properly constructed, the system could
remain functional after a nuclear strike.

"We even tested these ideas by simulating the fragmentation of the

ARPANET and re-binding it using flying packet radios on Strategic
Air Command aircraft in the early 1980s," recalls Cerf, who is now
senior vice president for Internet architecture and engineering at
MCI Communications Corp. in Washington, D.C.

That simulation, using special radios equipped with Internet

technologies, proved that if a nuclear bomb dropped and the
network was initially splintered, the remaining sections of the
network would seek each other out and relink, continuing to transmit
information across the surviving parts of the system.

But Cerf is quick to say that there was no truth to the widespread
belief that the Internet, or even its predecessor ARPANET, was
impervious to nuclear attack. "That was not true, although its design
did make use of the robustness of packet switching to route around
failures and congestion."

TCP/IP 102 - William Favre Slater, III - 7

October 16, 2024
TCP/IP 102 - William Favre Slater, III - 8
October 16, 2024
TCP/IP 102 - William Favre Slater, III - 9
October 16, 2024
 TCP/IP Protocol Suite

Source: Novell. (2024). TCP/IP Protocol Suite.

Retrieved from http://www.novell.com/documentation/nw65/ntwk_ipv4_nw/?page=/documentation/nw65/ntwk_ipv4_nw/data/hozdx4oj.html
TCP/IP 102 - William Favre Slater, III - Page 10
October 16, 2024
 RFCs for Network
Protocols
Use this URL convention:
https://rfc-editor.org/rfcxxx.htm
Where xxx is the RFC Number

Source: Tulloch, M and Tulloch, I. (2002). Microsoft Encyclopedia

of Networking Published by Microsoft Press.

TCP/IP 102 - William Favre Slater, III - Page 11

October 16, 2024
 IPv4 Address Space
4,294,967,296 IP4 addresses

240.0.0.0 - 255.255.255.255 Class E 268,435,456 addresses

224.0.0.0 - 239.255.255.255 Class D 268,435,456 addresses
192.0.0.0 – 223.255.255.0 Class C 536,870,912 addresses
Class B 1,073,741,824 addresses

128.0.0.0 - 191.255.0.0
Lookback 127.0.0.1 Class A 2,147,483,648 addresses

0.0.0.0 - 127.0.0.0

TCP/IP 102 - William Favre Slater, III - Page 12

October 16, 2024
 IPv4 Address Space
4,294,967,296 IP4 addresses

Source: Meridian Outpost. (2024), Retrieved from https://www.meridianoutpost.com/resources/articles/IP-classes.php#google_vignette

TCP/IP 102 - William Favre Slater, III - Page 13

October 16, 2024
 Non-Routed IPv4 Address
Ranges and Networks
• By RFC Specification by the Internet Engineering
Task Force, these IP Addresses are not routed on
the Public Internet:

– 255.255.255.255
– 127.0.0.1 (Loopback Address)
– 0.0.0.0
– (These Ranges shown below are usually used in Private
Networks behind an External Facing Firewall)
– 10.x.x.x - The entire 10. Networking range [ Class A ]
– 172.16.0.0 - 172.31.0.0 (16 networks) [ Class B ]
– 192.168.0.0 - 192.168.255.0 (256 networks) [ Class C ]
TCP/IP 102 - William Favre Slater, III - Page 14
October 16, 2024
 CIDR
• CIDR = Classless Inter-Domain Routing

Source: Wikipedia. (2024) https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

TCP/IP 102 - William Favre Slater, III - Page 15
October 16, 2024
 IPv6 Address Space
• The IPv6 address space contains
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.
• The addresses occur in 8 groups (segments separated by colons) and are
represented by Hexadecimal numbers: 0 – F
• IPv6 addresses are 128 bits.
• The number addresses in binary is 2 128 – 1.

Source: https://en.wikipedia.org/wiki/IPv6_address

TCP/IP 102 - William Favre Slater, III - Page 16

October 16, 2024
 DNS for Host Name Resolution
• The Domain Name Service (DNS) is an
essential part of the TCP/IP Protocol Suite.
It was designed and implemented between
1983 and 1986, on a Team led by Dr. Paul
Mockapetris. It operates at Layer 7 of the
OSI Model and was designed to resolve
human-readable names into IP addresses.
• There are two versions of DNS, one for IPv4
and one for IPv6. DNS was created to
replace HOST files, which were
cumbersome and difficult to keep updated.
• Without DNS, the Internet would be a very
different, slow performing machine because
it would depend on themaintenance and
distribution of “Host Files”. To resolve
names into IP addresses.

TCP/IP 102 - William Favre Slater, III - Page 17

October 16, 2024
 TCP/IP Utilities
Command Purpose Windows or Comments
or Utility Linux or Both
ping Network diagnostics Both

tracert Network hop tracing Both Shows paih in

network hops.
netstat Reveals the IP and port connections on Layer 3 Both Reports on
Layer 4

ipconfig Shows the host IP address, subnet, DNS and Gateway information Both
nslookup Provides the DNS information Both

whois Provides the information about the Domain Both Website:

https://who.is
nmap Port scanning utility Both Must download
and install.
pathping Network diagnostic tool. Provides information about network latency and network loss at Windows
intermediate hops between a source and destination. This command sends multiple echo Request
messages to each router between a source and destination, over a period of time, and then computes
results based on the packets returned from each router. Because this command displays the degree of
packet loss at any given router or link, you can determine which routers or subnets might be having
network problems
ssh Secure Shell utility Both

arp Address Resolution Protocol for displaying the ARP Table that maps IP addresses and the NIC Card Both
address (Ethernet)
route Displays the Route Table Both

Source: Pyles, Carrell, and Titel. (2024). Guide to TCP/IP: IPv6 amd IPv4, 5th ed. Retrieved from https://www.guidetotcpip.com/wp-
content/uploads/files/Appendices/tcpip5e_CommandLineIPUtils.pdf

TCP/IP 102 - William Favre Slater, III - Page 18

October 16, 2024
TCP/IP Utilities
(Linux Style)

TCP/IP 102 - William Favre Slater, III - Page 19

October 16, 2024
 Determining Your IP Settings
Using ipconfig
Everyone with a Windows machine has this command line
utility on their machine: ipconfig

Run the ipconfig command to discover:

• IPv4 address
• IPv6 address
• Subnet Mask
• Default Gateway to the Internet

TCP/IP 102 - William Favre Slater, III - Page 20

October 16, 2024
 Using ipconfig

Source: Pyles, Carrell, and Titel. (2024). Guide to TCP/IP: IPv6 amd IPv4, 5th ed. Retrieved from
https://www.guidetotcpip.com/wp-content/uploads/files/Appendices/tcpip5e_CommandLineIPUtils.pdf
TCP/IP 102 - William Favre Slater, III - Page 21
October 16, 2024
 Running Angry IP Scanner
• If you want to quickly get up to speed on network device and
port scanning, read this paper, Angry IP – An IP Scanner Tool
- A Product Analysis and User Tutorial (well documented and
fun!) See link below.
• Use Tools like Angry IP Scanner to attack your own home
network.
• Versions for Windows, Mac, and Linux are available.
• Angry IP Scanner is free and available at this link:
https://angryip.org/download/

Source: http://www.billslater.com/writing/Angry_IP__Scanner_W_F_Slater_2007_0716_.pdf

22
TCP/IP 102 - William Favre Slater, III - October 16, 2024
 Angry IP Scanner
• Angry IP – An IP Scanner Tool - A Product Analysis and User
Tutorial

Source: http://www.billslater.com/writing/Angry_IP__Scanner_W_F_Slater_2007_0716_.pdf

23
TCP/IP 102 - William Favre Slater, III - October 16, 2024
 ICMP

TCP/IP 102 - William Favre Slater, III - Page 24

October 16, 2024
 What Is ICMP?
• Internet Control Message Protocol (ICMP)
• First described in RFC 792, September 1981 by
Jon Postel, Internet Engineering Task Force
(IETF) and the Internet Assigned Numbers
Authority (IANA).

TCP/IP 102 - William Favre Slater, III - Page 25

October 16, 2024
 What Is ICMP?
Version 4

IHL Internet header length in 32-bit words.

Type of Service 0

Total Length Length of internet header and data in octets.

Identification, Flags, Fragment Offset Used in fragmentation, see [1].

Time to Live
Time to live in seconds; as this field is decremented at each machine in
which the datagram is processed, the value in this field should be at least as
great as the number of gateways which this datagram will traverse.

Protocol ICMP = 1

Header Checksum
The 16 bit one's complement of the one's complement sum of all 16 bit
words in the header. For computing the checksum, the checksum field
should be zero. This checksum may be replaced in the future.

Source Address
The address of the gateway or host that composes the ICMP message.
Unless otherwise noted, this can be any of a gateway's addresses.

Destination Address The address of the gateway or host to which the message should be sent.

TCP/IP 102 - William Favre Slater, III - Page 26

October 16, 2024
 ICMP – What It Does
• ICMP is used to
– Verify IP Hosts (i.e. “ping”)
– Verify IP packet routes
– Detect Network Traffic Congestion
– Monitor Network Traffic and Throttle the Performance
of both TCP and UDP
– ICMP messages are sent in several situations: for
example, when a datagram cannot reach its destination,
when the gateway does not have the buffering capacity
to forward a datagram, and when the gateway can direct
the host to send traffic on a shorter route.

TCP/IP 102 - William Favre Slater, III - Page 27

October 16, 2024
 How Does ICMP Work?
The Internet Protocol (IP) is used for host-to-host datagram service in a
system of interconnected networks called the Catenet. The network
connecting devices are called Gateways. These gateways communicate
between themselves for control purposes via a Gateway to Gateway
Protocol (GGP). Occasionally a gateway or destination host will
communicate with a source host, for example, to report an error in
datagram processing. For such purposes this protocol, the Internet Control
Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if
it were a higher level protocol, however, ICMP is actually an integral part of
IP, and must be implemented by every IP module.

ICMP messages are sent in several situations: for example, when a

datagram cannot reach its destination, when the gateway does not have the
buffering capacity to forward a datagram, and when the gateway can direct
the host to send traffic on a shorter route.

Source: IETF. (1981). Internet Control Message Protocol. Retrieved from https://www.rfc-editor.org/rfc/rfc792.txt

TCP/IP 102 - William Favre Slater, III - Page 28

October 16, 2024
 Why Is ICMP Important?
• ICMP is important because it listens to
current Network Traffic and helps TCP and
UDP adapt accordingly.
• Used to test network hosts.

TCP/IP 102 - William Favre Slater, III - Page 29

October 16, 2024
 ICMP RFC 792

Source: IETF. (1981). Internet Control Message Protocol.

Retrieved from https://www.rfc-editor.org/rfc/rfc792.txt

TCP/IP 102 - William Favre Slater, III - Page 30

October 16, 2024
 TCP/IP Protocol Suite

Source: Novell. (2024). TCP/IP Protocol Suite.

Retrieved from http://www.novell.com/documentation/nw65/ntwk_ipv4_nw/?page=/documentation/nw65/ntwk_ipv4_nw/data/hozdx4oj.html
TCP/IP 102 - William Favre Slater, III - Page 31
October 16, 2024
 Ping
• The TCP/IP Utility, PING,
uses ICMP.
• You can use Ping for these
purposes:
– Test your TCP/IP functionality
– Test the Network performance
– See if a Host is up
– Test to see if DNS is resolving
Host names properly.

TCP/IP 102 - William Favre Slater, III - Page 32

October 16, 2024
 Ping Examples
• Ping by host name
• Ping by IP
• Ping by loopback
(127.0.0.1)
• Ping Localhost
• Ping by Base 10 Number
• Ping by Hexadecimal
Address

TCP/IP 102 - William Favre Slater, III - Page 33

October 16, 2024
Ping By Host Name

TCP/IP 102 - William Favre Slater, III - Page 34

October 16, 2024
Ping By IP

TCP/IP 102 - William Favre Slater, III - Page 35

October 16, 2024
Ping the IPv4 Loopback Address

TCP/IP 102 - William Favre Slater, III - Page 36

October 16, 2024
 Ping the IPv6 Loopback Address

The IPv6 loopback address is a special address that devices use to send messages to themselves. This address is ::1/128,
and it's similar to the IPv4 loopback address 127.0.0.1. However, in IPv6, this address is simplified to ::1, reflecting
IPv6's design for a more streamlined and efficient networking future. The loopback address plays a crucial role in
testing, diagnosing, and configuring network settings on a device.

Source: Brightwood, N. (2024). IPv6 Loopback Address Explained. Retrieved from https://netseccloud.com/ipv6-
loopback-address

TCP/IP 102 - William Favre Slater, III - Page 37

October 16, 2024
Ping the Localhost

TCP/IP 102 - William Favre Slater, III - Page 38

October 16, 2024
Ping By Base 10 Number

TCP/IP 102 - William Favre Slater, III - Page 39

October 16, 2024
Ping By Hexadecimal Number

TCP/IP 102 - William Favre Slater, III - Page 40

October 16, 2024
 Converter for IP to Base 10
Visit: https://dnschecker.org/ip-to-decimal.php

TCP/IP 102 - William Favre Slater, III - Page 41

October 16, 2024
Ping Syntax & Other Ping Parameters

Source: Pyles, Carrell, and Titel. (2024). Guide to TCP/IP: IPv6 amd IPv4, 5th ed. Retrieved from
https://www.guidetotcpip.com/wp-content/uploads/files/Appendices/tcpip5e_CommandLineIPUtils.pdf
TCP/IP 102 - William Favre Slater, III - Page 42
October 16, 2024
 What does Ping tell us?
• Your IP Stack configuration is OK
• Target IP host is “UP”
• Layers 1 – 4 are operational
• Average network latency
• If you can Ping by Name, then DNS is
working.

TCP/IP 102 - William Favre Slater, III - Page 43

October 16, 2024
 What Is Traceroute? How Does
It Work?
• Traceroute is a Network and Internet Diagnostic Tool. It uses ICMP to
measure the distance in time between network “hops”.
• From R. Grimmick:
– Traceroute is actually a bit of a hack, in that it leverages a field in Internet Protocol (IP) packet
headers that was never really intended for path or route tracing. The IP standard mandates a
Time-to-Live (TTL) value for each IP packet, which acts as a kind of self-destruct mechanism to
keep undeliverable packets from endlessly circulating around the Internet. Each router in a
path is expected to decrement the TTL value by one before sending it further down the line.
Once the TTL hits zero, the routing process comes to a screeching halt, and the last router to
have processed the packet will send back a “Time to live exceeded” message.

– Exceeding a TTL value isn’t desirable for normal data packets, which is why a typical packet
will have a value ranging from 64 all the way to 255. But what would otherwise be a
frustrating error message is actually a key part of how traceroute works. By manipulating the
TTL field, traceroute and similar programs can trigger TTL exceeded messages from each hop
along a given path.

Source: Grimmick, R. (2023). What is Traceroute? How It Works and How to Read Results. Retrieved from
https://www.varonis.com/blog/what-is-traceroute

TCP/IP 102 - William Favre Slater, III - Page 44

October 16, 2024
 What Is Traceroute? How Does
It Work?

Source: Grimmick, R. (2023). What is Traceroute? How It Works and How to Read Results. Retrieved from
https://www.varonis.com/blog/what-is-traceroute

TCP/IP 102 - William Favre Slater, III - Page 45

October 16, 2024
Running Traceroute on MS Windows

Source: Grimmick, R. (2023). What is Traceroute? How It Works and How to Read Results. Retrieved from
https://www.varonis.com/blog/what-is-traceroute

TCP/IP 102 - William Favre Slater, III - Page 46

October 16, 2024
 Running Traceroute on Linux

Source: Grimmick, R. (2023). What is Traceroute? How It Works and How to Read Results. Retrieved from
https://www.varonis.com/blog/what-is-traceroute

TCP/IP 102 - William Favre Slater, III - Page 47

October 16, 2024
Traceroute Examples

TCP/IP 102 - William Favre Slater, III - Page 48

October 16, 2024
Traceroute Examples

TCP/IP 102 - William Favre Slater, III - Page 49

October 16, 2024
 ICMP Dangers
• ICMP Dangers include:
– Vulnerable to DDoS attacks
– ICMP Tunneling
– ICMP Exfiltration
– Can inadvertently provide Operating System
data for fingerprinting reconnaissance because
the (default) Microsoft Windows Ping Packet
(echo) is different than a (default) Linux Ping
Packet (echo)

TCP/IP 102 - William Favre Slater, III - Page 50

October 16, 2024
 ICMP Dangers – ICMP Tunneling
Remember how ping uses ICMP Echo packets to test host reachability
across a network? Basically, the pinging host will send an Echo packet
with some data to the pinged host. Then, the pinged host will answer
with an Echo Reply containing the same data. The data may be
arbitrary and no strict guidelines are defined is ICMP’s RFC.

Attackers can exploit this design choice to obfuscate malicious

network behavior. Instead of explicitly communicating with a
machine in the protocol of choice, each packet will be injected into
an Echo or Echo Reply packet. The communication stream will now
seem to be a series of ping operations, rather than, for instance, a TCP
connection.

Source: Grinberg, S. (2024). How Hackers Use ICMP Tunneling to Own Your Network. Retrieved from
https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/

TCP/IP 102 - William Favre Slater, III - Page 51

October 16, 2024
Organizations that Have Turned Off
ICMP on Externally Facing Routers
• CNN.com
• EBAY.com
• NSA.gov
• MSNBC.com
• CIA.gov
• FBI.gov
• Yahoo.com
• AMAZON.com
TCP/IP 102 - William Favre Slater, III - Page 52
October 16, 2024
 Ping Humor
• Book about Ping
the Duck
• “Ping” is a
Chinese name for
a Female.
• I have a friend in
technology sales
named “Ping
You”.
TCP/IP 102 - William Favre Slater, III - Page 53
October 16, 2024
 WireShark

• Wireshark is
considered by many
professionals as the
best free network
packet analysis tool.
• Download it here:
https://www.wireshark
.org/download.html

TCP/IP 102 - William Favre Slater, III - Page 54

October 16, 2024
 WireShark

TCP/IP 102 - William Favre Slater, III - Page 55

October 16, 2024
 WireShark

TCP/IP 102 - William Favre Slater, III - Page 56

October 16, 2024
 IPv4 Address Exhaustion
• By June 2015, the
IPv4 Address Space
was officially
exhausted.
• Some companies sell
or rent IPv4 addresses,
but they are
increasingly
expensive.
TCP/IP 102 - William Favre Slater, III - Page 57
October 16, 2024
 IPv4 Address Exhaustion
• Reasons:
– Less than 4.28 billion IPv4 addresses
– Over 5.8 billion people are presently using the
The Internet .
– TCP/IP has exploded in popularity and
numbers of devices
– Cell phones, Internet TVs, and Internet of
Things Devices

TCP/IP 102 - William Favre Slater, III - Page 58

October 16, 2024
 IPv4 Address Generator

This PERL code will generate every IPv4 address in the IPv4 Address Space.
TCP/IP 102 - William Favre Slater, III - Page 59
October 16, 2024
 Carna BotNet IPv4 Census of 2012
• The Carna Botnet was created and executed quietly by a lone, unknown hacker with
excellent programming skills in Q3 2012.
• The intent of this individual was to take control of as many external facing IP hosts
as possible from a single desktop networked computer on the Internet. In this case,
approximately 420,000 hosts were under the command and control of the Carna
Botnet. This represents about 1% of the total available IPv4 addresses at that time.
• To this day, the author is known only by a Public PGP Key that was listed in the
professionally written, illustrated technicalreport.
• It was a lone individual, though in the paper they use first person plural pronoun,
“WE”. At the end of the paper, the author admits that “we” is actually “me”.
• It showed that host devices and the Internet as a whole is vulnerable to such
unanticipated “attacks”.
• Many found the report, the findings, and the feat itself “inspiring”, and this includes
myself.
Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 60
October 16, 2024
 Carna BotNet IPv4 Census of 2012
Abstract

While playing around with the Nmap Scripting Engine (NSE) we discovered
an amazing number of open embedded devices on the Internet. Many of
them are based on Linux and allow login to standard BusyBox with empty
or default credentials. We used these devices to build a distributed port
scanner to scan all IPv4 addresses. These scans include service probes for
the most common ports, ICMP ping, reverse DNS and SYN scans. We
analyzed some of the data to get an estimation of the IP address usage.

All data gathered during our research is released into the public domain for
further study.
•

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 61
October 16, 2024
 Carna BotNet IPv4 Census of 2012
Proof of Concept
To further verify our sample data, we developed a small binary that could be uploaded to insecure devices.

To minimize interference with normal system operation, our binary was set to run with a watchdog and on the
lowest possible system priority. Furthermore, it was not permanently installed and stopped itself after a few
days. We also deployed a readme file containing a description of the project as well as a contact email
address.

The binary consists of two parts. The first one is a telnet scanner which tries a few different login
combinations, e.g. root:root, admin:admin and both without passwords. The second part manages the
scanner, gives it IP ranges to scan and uploads scan results to a specified IP address. We deployed our
binary on IP addresses we had gathered from our sample data and started scanning on port 23 (Telnet) on
every IPv4 address. Our telnet scanner was also started on every newly found device, so the complete scan
took only roughly one night. We stopped the automatic deployment after our binary was started on
approximately thirty thousand devices.

The completed scan proved our assumption was true. There were in fact several hundred thousand
unprotected devices on the Internet making it possible to build a super fast distributed port scanner.

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 62
October 16, 2024
 Carna BotNet IPv4 Census of 2012
Numbers
The numbers below were filtered to eliminate noise and match a timeperiod from June 2012 to October 2012.
The data used for these numbers is the same that was used for the browsable Hilbert map.

420 Million IPs responded to ICMP ping requests more than once. [Map]
165 Million IPs had one or more of the top 150 ports open. 36 Million of these IPs did not respond to ICMP ping. [Map]
141 Million IPs had only closed/reset ports and did not respond to ICMP ping. Most of these were firewalled IP ranges where it
was uncertain if they had actual computers behind them. [Map]
1051 Million IPs had a reverse DNS record. [Map] 729 Million of these IPs had nothing more and did not respond to any probe.
30000 /16 networks contained IPs that responded to ICMP ping, 14000 /16 networks contained 90% of all pingable IPs.
4.3 Million /24 networks contained all 420 Million pingable IPs.

So, how big is the Internet?

That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450
Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could
count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added
those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 63
October 16, 2024
 Carna BotNet IPv4 Census of 2012
Conclusion
This was a fun project and there are many more things we could have done, but this concludes
our work. The binary stops itself after some time and most of the deployed versions have
already done that by now. All of our initial goals as well as some extras like traceroute were
achieved, we have completed, to our knowledge, the largest and most comprehensive IPv4
census ever. With a growing number of IPv6 hosts on the Internet, 2012 may have been the
last time a census like this was possible.

We hope other researchers will find the data we have collected useful and that this publication
will help raise some awareness that, while everybody is talking about high class exploits and
cyberwar, four simple stupid default telnet passwords can give you access to hundreds of
thousands of consumer as well as tens of thousands of industrial devices all over the world.

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 64
October 16, 2024
 Carna BotNet IPv4 Census of 2012
Who and Why
You may ask yourself who we are and why we did what we did.

In reality, we is me. I chose we as a form for this documentation because its nicer to read, and
mentioning myself a thousand times just sounded egotistical.

The why is also simple: I did not want to ask myself for the rest of my life how much fun it could
have been or if the infrastructure I imagined in my head would have worked as expected. I saw
the chance to really work on an Internet scale, command hundred thousands of devices with a
click of my mouse, portscan and map the whole Internet in a way nobody had done before,
basically have fun with computers and the Internet in a way very few people ever will. I decided
it would be worth my time.

Just in case someone else tries to take credit for my work: My PGP public key

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 65
October 16, 2024
 Carna BotNet IPv4 Census of 2012

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 66
October 16, 2024
 Carna BotNet IPv4 Census of 2012
Hilbert Curves
•

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 67
October 16, 2024
 Carna BotNet IPv4 Census of 2012

Source: Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices.
Retrieved from https://census2012.sourceforge.net/paper.html.
TCP/IP 102 - William Favre Slater, III - Page 68
October 16, 2024
 Carna BotNet IPv4 Census of 2012
• Parth Shukla analyzed the data and the findings:
– Among the findings he culled from the botnet data: More than 2,000
different manufacturers' products were wide open to access via a Telnet
connection over the public Internet, and 28 percent of them were
Chinese vendor ZTE's products. China also made up the largest
percentage of infected and prone devices, with 56 percent of the
vulnerable devices (720,141), while Hong Kong was home to 7 percent
of infections (91,453), and Brazil had 2 percent, (30,242 devices). The
U.S., meanwhile, also accounted for some 2 percent of the prone
devices, with 24,243.
– By region, Asia accounted for 78 percent of the vulnerable equipment;
Europe, 13 percent; South America, 5 percent; North America, 3
percent; and Africa, 1 percent.

Source: Higgins, K.J. (2013). What the Carna Botnet Also Found. Published by Dark Reading. Retrieved from
https://www.darkreading.com/vulnerabilities-threats/what-the-carna-botnet-also-found .
TCP/IP 102 - William Favre Slater, III - Page 69
October 16, 2024
 Carna BotNet IPv4 Census of 2012
• Important Infrastructure and Network
Manager Tip:
– For years after the Carna Botnet event, smart system
administrators from various organizations would
download the TB of host IP data from the Cara Botnet
for research and analysis to check to find out if any
devices that were hit by Carna Botnet were under their
control. If they got a match on one or more IP
addresses, they would know that they had vulnerable
devices and therefore plan for remediation.

TCP/IP 102 - William Favre Slater, III - Page 70

October 16, 2024
Common Network Protocols

TCP/IP 102 - William Favre Slater, III - Page 71

October 16, 2024
Common TCP and UDP Port
Assignments

TCP/IP 102 - William Favre Slater, III - Page 72

October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 73
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 74
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 75
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 76
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 77
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 78
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 79
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 80
October 16, 2024
 Common TCP and UDP Port
Assignments

Sources: IANA, IETF, Microsoft

TCP/IP 102 - William Favre Slater, III - Page 81
October 16, 2024
Use MS Systinternals Utility TCPView to See
TCP Ports on MS Networking Platforms
Free from Microsoft Sysinternals Website

TCP/IP 102 - William Favre Slater, III - Page 82

October 16, 2024
 The TCP Finite State Machine
• This diagram shows the
model that governs the
behavior of TCP at
Layer 4 in the OSI
model.
• The States listed in the
circles in this diagram
are the possible states of
the virtual circuit
connect with the IP
Host that this machine
is communicating with.

TCP/IP 102 - William Favre Slater, III - Page 83

October 16, 2024
TCP Finite State Machine

User-mode Process
Application
(Layer 7) Network Providers
IFS Manager
Presentation File
(Layer 6) Server / Redirector
Microsoft Netware
Session Client Client
(SMB) (SMB)
(Layer 5)
Transport Protocol Stacks
Transport
TCP TCPv6 SPX
(Layer 4)

Network IPv4 IPv6 IPX

(Layer 3)

NDIS 3.0
Data Link
(Layer 2) NIC device driver

Physical NIC
(Layer 1)

TCP/IP 102 - William Favre Slater, III - Page 84

84
October 16, 2024
IPv4 vs. IPv6

TCP/IP 102 - William Favre Slater, III - Page 85

October 16, 2024
IPv4 vs. IPv6

TCP/IP 102 - William Favre Slater, III - Page 86

October 16, 2024
Economics to Deploy IPv6

TCP/IP 102 - William Favre Slater, III - Page 87

October 16, 2024
Reasons NOT to Deploy IPv6

TCP/IP 102 - William Favre Slater, III - Page 88

October 16, 2024
 Conclusion
• The TCP/IP protocol suite was designed, engineered by
extremely talented practitioners who understood computers,
software, and computer networking at both a theoretical level
and a practical level.
• The standards that describe the operation of TCP/IP protocols
are known as the RFCs and these are published by the IETF and
freely available to the Public.
• The examples in this presentation, if tried out, can teach people
a great deal about how TCP/IP enables communications on a
computer network.
• TCP/IP is something that you should know because its suite of
protocols runs the Internet and most of the world of networking.

TCP/IP 102 - William Favre Slater, III - Page 89

October 16, 2024
 Questions?

TCP/IP 102 - William Favre Slater, III - Page 90

October 16, 2024
 References
• Brightwood, N. (2024). IPv6 Loopback Address Explained. Retrieved from https://netseccloud.com/ipv6-loopback-address .
• Carna Botnet Author. (2013). Internet Census 2012 Port scanning /0 using insecure embedded devices. Retrieved from
https://census2012.sourceforge.net/paper.html.
• Cerf. V (1999).
• Comer, D. E. (2018). The Internet Book, 5th edition. Published by Chapman and Hall/CRC.
• Grimmick, R. (2023). What is Traceroute? How It Works and How to Read Results. Retrieved from
https://www.varonis.com/blog/what-is-traceroute .
• Grinberg, S. (2024). How Hackers Use ICMP Tunneling to Own Your Network. Retrieved from https://www.cynet.com/attack-
techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/ .
• Higgins, K.J. (2013). What the Carna Botnet Also Found. Retrieved from https://www.darkreading.com/vulnerabilities-threats/what-
the-carna-botnet-also-found ..
• IETF. (1981). The Internet Control Messaging Protocol. Retrieved from https://www.rfc-editor.org/rfc/rfc792.txt .
• Kozierok, C. M. (2005). The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference. Published by No-Starch
Press.
• Meridian Outpost. (2024). Five IPv4 Network Classes. Retrieved from https://www.meridianoutpost.com/resources/articles/IP-
classes.php#google_vignette .
• Novell. (2024). TCP/IP Protocol Suite. Retrieved from
http://www.novell.com/documentation/nw65/ntwk_ipv4_nw/?page=/documentation/nw65/ntwk_ipv4_nw/data/hozdx4oj.html .
• Piscitello, D. M., and Chapin, A. L. (1993). Open Systems Networking: TCP/IP and OSI. Pub;ished by Addison Weslley.
• Pyles, Carrell, and Titel. (2024). Guide to TCP/IP: IPv6 amd IPv4, 5th ed. Retrieved from https://www.guidetotcpip.com/wp-
content/uploads/files/Appendices/tcpip5e_CommandLineIPUtils.pdf .
• Wilensky, M., and Leiden, C. (1995). TCP/IP For Dummies. Published by IDG Books.
• Wikipedia. (2024) Classless Inter-Domain Routing. https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing .

TCP/IP 102 - William Favre Slater, III - Page 91

October 16, 2024
The TCP/IP Guide

(My Favorite)

TCP/IP 102 - William Favre Slater, III - Page 92

October 16, 2024
 William Favre Slater, III
➢ President / CEO / CISO of
Slater Tecchnologies, Inc

➢ 312-342-2626

➢ [email protected]

➢ http://billslater.com/interview

➢ 1515 W. Haddon Ave., Unit 309

Chicago, IL 60642
United States of America

William Favre Slater, III

TCP/IP 102 - William Favre Slater, III - Page 93

October
William Favre 16,III
Slater, 2024
– October 10, 2024
TCP/IP 102 - William Favre Slater, III - Page 94
October 16, 2024
TCP/IP 102 - William Favre Slater, III - 95
October 16, 2024