Imagine you are mailing a letter. You need the recipient’s address — street, city, zip code — for the postal service to deliver it. The internet works the same way. Every device connected to a network needs a unique identifier so data can be routed to the correct destination. That identifier is an IP (Internet Protocol) address.
Without an IP address, a packet of data has nowhere to go. Your phone, your laptop, the server hosting this blog, the Wi-Fi router at your coffee shop — every single one has an IP address. Right now, as you read this, your device used an IP address to fetch this page from a server thousands of miles away.
There are two versions in active use today: IPv4, which has been around since 1983, and IPv6, designed to solve the exhaustion problem that IPv4 eventually ran into.
Think of the internet as a global postal system:
An IPv4 address is a 32-bit number, typically written as four decimal numbers (called octets) separated by dots:
192.168.1.42Each octet represents 8 bits. In binary, the same address looks like this:
11000000.10101000.00000001.00101010Let’s break that down octet by octet:
| Octet | Decimal | Binary | What it means |
|---|---|---|---|
| 1 | 192 | 11000000 | First 8 bits of the address |
| 2 | 168 | 10101000 | Second 8 bits |
| 3 | 1 | 00000001 | Third 8 bits |
| 4 | 42 | 00101010 | Fourth 8 bits |
Each bit is either a 0 or a 1. With 8 bits per octet, the possible values range from 00000000 (0) to 11111111 (255). That gives each octet 256 possible values.
The 32-bit address space yields 2^32, or roughly 4.3 billion unique addresses. That seemed infinite in the early 1980s when the internet was a research project connecting a few hundred universities. But with billions of phones, computers, IoT devices, and servers now online, the pool ran dry. IPv4 addresses were formally exhausted by the major regional registries between 2011 and 2019.
Computers do not understand decimal numbers like “192”. They think in binary — ones and zeros. Every operation on an IP address (determining which network it belongs to, whether it is private, how to route it) happens at the bit level.
When a router receives a packet, it extracts the destination IP and compares it against its routing table using bitwise operations. For example, a router with a /24 subnet mask performs a bitwise AND between the destination IP and the mask 255.255.255.0 to extract the network portion. This happens millions of times per second on busy routers.
Understanding binary is the key to understanding everything else: subnetting, CIDR, and how routers make decisions.
An IP address is a unique identifier assigned to each device on a network. IPv4 addresses are 32-bit numbers written as four octets (0-255) separated by dots. Each octet represents 8 bits of the full address.
IPv6 expands the address space to 128 bits, providing 2^128 possible addresses. How big is that?
340,282,366,920,938,463,374,607,431,768,211,456That is 340 undecillion. To put that in perspective: there are enough IPv6 addresses for every atom on Earth’s surface to have its own address, several times over. You could assign an IPv6 address to every grain of sand on the planet and still have plenty left.
An IPv6 address uses hexadecimal groups (base-16, using digits 0-9 and letters a-f) separated by colons:
2001:0db8:85a3:0000:0000:8a2e:0370:7334Two shorthand rules make IPv6 addresses more readable:
0db8 becomes db8, 0370 becomes 370:: (but only once per address)Applying both rules:
2001:db8:85a3::8a2e:370:7334Most of the internet still runs dual-stack (both IPv4 and IPv6 simultaneously). The reasons are practical:
The transition has been happening for over 25 years and is still not complete. In many regions, IPv6 adoption is above 50%, but traffic volume varies.
Imagine an office building with one street address. Inside, there are floors, wings, and individual offices. Subnetting works the same way — it divides a large network into smaller, more manageable pieces.
A subnet is a logically visible subdivision of an IP network. Networks are split for three main reasons:
CIDR (Classless Inter-Domain Routing) notation expresses the boundary between the network portion and the host portion using a slash followed by a number:
192.168.1.0/24This means the first 24 bits identify the network and the remaining 8 bits identify hosts within it. The subnet mask for a /24 is 255.255.255.0.
In binary, the mask looks like this:
11111111.11111111.11111111.00000000The ones are the network bits, the zeros are the host bits. A simple bitwise AND between any IP address and the subnet mask extracts the network address.
| CIDR | Subnet Mask | Addresses | Typical Use |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | Very large networks (continent-scale) |
| /16 | 255.255.0.0 | 65,536 | Mid-size organizations |
| /24 | 255.255.255.0 | 256 | Home networks, LANs, subnets |
| /25 | 255.255.255.128 | 128 | Splitting a /24 in half |
| /28 | 255.255.255.240 | 16 | Small isolated segments |
| /32 | 255.255.255.255 | 1 | Single host (a specific device) |
Your home router almost certainly hands out addresses in the 192.168.1.0/24 range, giving you 254 usable host addresses. Why 254 and not 256? Because .0 is reserved as the network identifier and .255 is the broadcast address (used to send a message to every device on the subnet simultaneously).
CIDR notation specifies how many bits define the network portion of an address. The remaining bits identify individual hosts. Drag the slider to explore different subnet sizes.
Not every device needs a globally routable address. If every phone, laptop, and smart fridge needed a unique public IP, IPv4 would have run out decades sooner.
RFC 1918 defines three private address ranges that are not routed on the public internet:
Your laptop, phone, and smart TV all get private addresses from your router. The router itself holds a single public address on its upstream (internet-facing) interface. This conservation strategy is what kept IPv4 alive long after exhaustion.
Not all addresses are used to identify devices. Some have special meanings:
| Address | Purpose |
|---|---|
| 127.0.0.1 | Loopback — always refers to your own machine |
| 0.0.0.0 | Unspecified — used as a placeholder |
| 255.255.255.255 | Limited broadcast — all devices on local network |
| 224.0.0.0/4 | Multicast — one-to-many delivery |
| 169.254.0.0/16 | Link-local — auto-configured when no DHCP |
| ::1 | IPv6 loopback |
| fe80::/10 | IPv6 link-local |
The loopback address 127.0.0.1 (often just called “localhost”) is special — traffic sent to it never leaves your machine. It is used for development, testing, and services that only need to communicate locally.
Private IP ranges are reserved for internal networks and not routable on the public internet. NAT (Network Address Translation) allows private devices to communicate externally using a shared public IP.
An IP address gets data to the right device, but a device runs many applications simultaneously. Your browser, your email client, your music app — they all need network access at the same time. How does the OS know which application should receive an incoming packet?
Ports solve this. A port is a 16-bit number (0-65535) that identifies a specific process or service on a device. If the IP address is the street address, the port is the apartment number.
Some well-known ports:
| Port | Protocol | Service |
|---|---|---|
| 80 | TCP | HTTP (unencrypted web) |
| 443 | TCP | HTTPS (encrypted web) |
| 22 | TCP | SSH |
| 53 | TCP/UDP | DNS |
| 25 | TCP | SMTP (email sending) |
| 3306 | TCP | MySQL |
| 5432 | TCP | PostgreSQL |
| 8080 | TCP | Common dev server |
When your browser connects to 93.184.216.34:443, it is connecting to a specific apartment (port 443) at a specific building (that IP address). The web server listens on port 443, the SSH server listens on port 22, and so on.
When you make an outbound connection, your OS assigns a random ephemeral port (typically in the range 32768-65535) as the source port, so the response knows where to come back to.
Ports identify which application should receive data on a device. An IP address is the building, a port is the apartment number. Select a connection type below to see which ports are used.
Data does not travel across the internet as a continuous stream. It is broken into small chunks called packets, each wrapped in headers that contain the source IP, destination IP, source port, destination port, and other metadata.
Think of it like this: if you want to send a 100-page book to someone, you do not put all 100 pages in one envelope. You number each page, put each in its own envelope, and mail them separately. They might take different routes through the postal system, and some might arrive out of order. The recipient reassembles them using the page numbers.
On the internet:
Every packet that crosses the internet carries headers that tell routers and servers where it came from, where it is going, and how to reassemble it. Click each layer to see what is inside.
Humans remember names like dotsdecoded.com. Computers need numbers like 104.21.76.8. DNS (Domain Name System) bridges that gap. It is one of the oldest and most critical systems on the internet — without it, you would need to type IP addresses for every website you visit.
When you type a URL into your browser, the resolution process follows a chain:
.com, .org, etc. It knows the authoritative nameserver for the specific domain.The result is cached at each layer, so most queries never travel the full chain. After the first lookup of dotsdecoded.com, your resolver caches the result for the duration of its TTL (Time To Live), so subsequent visits are nearly instant.
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | dotsdecoded.com → 104.21.76.8 |
| AAAA | IPv6 address | dotsdecoded.com → 2606:4700:... |
| CNAME | Alias to another domain | www.dotsdecoded.com → dotsdecoded.com |
| MX | Mail server | gmail.com → mail.gmail.com |
| NS | Authoritative nameserver | dotsdecoded.com → ns1.cloudflare.com |
| TXT | Arbitrary text (SPF, DKIM, verification) | v=spf1 include:_spf.google.com ~all |
DNS translates human-readable domain names into IP addresses. Click "Resolve" to step through the lookup process for dotsdecoded.com.
NAT (Network Address Translation) is how your home router connects all your private devices to the internet using a single public IP. It is the single most important reason IPv4 has survived this long.
Here is what happens step by step:
192.168.1.42 wants to visit 93.184.216.34 on port 443192.168.1.42:52341 and destination 93.184.216.34:443192.168.1.1203.0.113.5:52341192.168.1.42:52341 ↔ 203.0.113.5:52341203.0.113.5:52341192.168.1.42:52341, and forwards it to your laptopThis works well for outbound connections. Inbound connections (someone on the internet trying to reach your laptop) require port forwarding or more sophisticated mechanisms.
When your device sends data to the internet, it passes through your router which performs NAT, replacing your private IP with a public one so the response can find its way back.
What actually happens when you type https://dotsdecoded.com into your browser and press Enter? Here is the complete journey, step by step, from your device to a server potentially on the other side of the planet.
Before your browser can connect to anything, it needs to know the IP address of dotsdecoded.com. Your OS checks its local cache first. If it is a miss, the request goes to your configured DNS resolver (usually your router, then your ISP’s resolver, then a public resolver like 1.1.1.1 or 8.8.8.8). The recursive resolver walks the chain: root → .com TLD → authoritative nameserver → returns the A record (104.21.76.8). This typically takes 20-100ms on a warm cache, or up to 500ms on a cold lookup.
Now your browser knows the server’s IP. It needs to establish a reliable connection. TCP (Transmission Control Protocol) does this with a three-way handshake:
You → SYN → Server "I want to talk to you"
You ← SYN+ACK ← Server "OK, I acknowledge, let's talk"
You → ACK → Server "Great, here comes the data"Each arrow is a packet traveling across the internet. On a local connection, this takes 1-2ms. If the server is in another continent, it can take 100-300ms per round trip.
Since the URL starts with https://, the browser must establish an encrypted connection before sending any data. TLS (Transport Layer Security) negotiates encryption:
You → ClientHello → Server "Here are the cipher suites I support"
You ← ServerHello ← Server "I picked this cipher, here's my certificate"
You ← Certificate ← Server "This proves I am really dotsdecoded.com"
You → Key Exchange → Server "Here's my pre-master secret (encrypted)"
You ← Finished ← Server "Encryption is ready, start sending data"The server presents an X.509 certificate signed by a Certificate Authority (like Let’s Encrypt, DigiCert, or GlobalSign). Your browser verifies the certificate chain: it checks that the CA is trusted, the certificate has not expired, and the domain name matches. If any check fails, you see the “Your connection is not private” warning.
Encryption is established. Your browser sends the actual request:
GET / HTTP/1.1
Host: dotsdecoded.com
User-Agent: Mozilla/5.0 ...
Accept: text/html
Accept-Encoding: gzip, br
Connection: keep-aliveThis packet travels through your Wi-Fi to your router, through your ISP’s network, across internet backbone cables (often undersea fiber), through multiple routers (typically 10-20 hops), until it reaches the server.
At each hop, a router makes a forwarding decision:
Routers do not look at ports, payload, or application data — they only care about the destination IP. This is why the internet scales: routers are simple forwarding engines.
Your packet might pass through equipment like this:
Your Wi-Fi router
→ ISP aggregation point
→ ISP core router
→ Internet exchange point (IXP)
→ Transit provider's backbone
→ Data center edge router
→ Server load balancer
→ Application server (104.21.76.8)Each hop adds roughly 1-5ms of latency. A typical cross-country path has 12-18 hops.
The server processes the request, generates the HTML, and sends it back. Large responses are split across many TCP segments. The TCP protocol guarantees reliable, ordered delivery — if a packet is lost, the receiver requests a retransmission. This all happens transparently; your browser just sees a continuous stream of data.
Your browser receives the HTML, parses it, discovers CSS and JavaScript files, makes additional requests for those assets (each following the same process), and renders the page. From your perspective, this all happens in under a second.
IP addresses are public information. Anyone can see them, and attackers use this to their advantage. Understanding how attacks work is the first step to defending against them.
An attacker targeting a specific organization typically starts by discovering its IP addresses. Common techniques:
dig, nslookup, or tools like subfinder to find all DNS records for a domain. This reveals IP addresses of web servers, mail servers, DNS servers, and more.nmap to probe IP ranges for open ports and running services. A full internet scan takes only minutes with modern tools.# Example: basic reconnaissance
dig dotsdecoded.com ANY # DNS records
whois 104.21.76.8 # Who owns this IP?
nslookup -type=MX gmail.com # Find mail servers
nmap -sS -p 1-1000 104.21.76.8 # Scan top 1000 portsDDoS (Distributed Denial of Service)
The most common IP-based attack. An attacker floods a target IP with more traffic than it can handle, making the service unavailable to legitimate users. This is “distributed” because it comes from thousands or millions of compromised devices (a botnet), making it nearly impossible to block by filtering a single source IP.
Attacker
→ Botnet (100,000 compromised IoT devices)
→ Target server at 104.21.76.8
(overwhelmed: 100 Gbps of garbage traffic)Major DDoS attacks have exceeded 1 Tbps (terabit per second). Cloudflare, AWS Shield, and Google Cloud Armor provide DDoS mitigation by absorbing traffic at the network edge before it reaches the target.
IP Spoofing
An attacker can forge the source IP address in a packet header. The destination server sees a fake source IP and sends its response to an innocent third party. This is used in:
Attacker (spoofed source: victim's IP)
→ DNS resolver: "give me EVERYTHING for isc.org"
→ Victim receives massive DNS response (amplified traffic)IP spoofing only works with connectionless protocols (UDP). TCP requires the three-way handshake, so spoofing a TCP source is ineffective — the SYN-ACK goes to the spoofed address, not the attacker.
Man-in-the-Middle (MitM)
If an attacker can position themselves between you and the server (on the same Wi-Fi network, or by compromising a router), they can intercept and modify traffic. They can see every IP address, port, and packet you send. This is why HTTPS is critical — even if traffic is intercepted, TLS encryption prevents the attacker from reading the payload.
On public Wi-Fi, this is a real risk. An attacker runs a fake access point with the same name as the legitimate one (an “evil twin”), and your phone connects to it automatically. Everything you send passes through their machine.
Port Scanning and Exploitation
Once an attacker knows your IP and open ports, they probe for vulnerable services:
This is why firewalls exist — they block all ports except the ones you explicitly allow.
There is a lot of fear-mongering about IP addresses, but there are strict limits:
Every packet on the internet carries a source IP address. This is fundamental to how the protocol works — without it, responses could not be routed back. This same property that makes the internet function also makes it possible to trace illegal activity.
When a cybercrime is committed, investigators work backwards from the victim to the perpetrator:
Victim's server logs
→ Attacker's public IP (from HTTP/DNS/SSH logs)
→ ISP that owns that IP (from WHOIS/RIR databases)
→ ISP's internal logs (which customer had that IP at that time?)
→ Customer's physical address (from account records)
→ Law enforcement subpoena/warrantServer logs record the source IP of every connection. If someone attacks a website, the web server logs contain the attacker’s IP. If someone sends a threatening email, the mail server logs contain the connecting IP.
ISP logs are the critical link. ISPs maintain records of which customer was assigned which IP address at any given time. For residential connections with dynamic IPs, this changes frequently (sometimes every few hours). ISPs are legally required to retain these logs for a period that varies by jurisdiction (6 months to 2 years in most countries).
Tracing an IP address to a person requires legal process:
This process exists in every country, though the specifics vary:
| Jurisdiction | Data Retention | Legal Process |
|---|---|---|
| United States | 6-18 months | Subpoena (27 USC 2703) |
| European Union | 6-12 months (varies) | National court order |
| United Kingdom | 12 months | RIPA/SIPA court order |
| Australia | 2 years | Telecommunications Act warrant |
VPNs (Virtual Private Networks) add a layer of indirection: your traffic goes to the VPN server first, then the VPN forwards it to the destination. The target server sees the VPN’s IP, not yours. But this is not a magic shield:
LulzSec (2011) — The hacker group LulzSec breached several organizations. They were caught because one member, Hector Monsegur (“Sabu”), used his real IP address when connecting to an IRC chat server without Tor. FBI agents correlated the IP with his Comcast account, identified his address, and turned him into an informant.
Silk Road (2013) — Ross Ulbricht operated the darknet marketplace Silk Road. Despite using Tor, he made operational security mistakes: he used his real name in early forum posts, logged into Gmail from a VPN that leaked his real IP, and posted on Stack Overflow from an IP linked to his home. The FBI traced him through a combination of these slip-ups.
AlphaBay (2017) — The largest darknet marketplace was taken down when law enforcement identified the server’s real IP address. The site had a misconfigured CAPTCHA that made a direct request to a server without going through Tor, leaking the IP.
The pattern is consistent: anonymity is broken by mistakes, not by breaking encryption. The technical tools (Tor, VPNs, encryption) are strong. Human error is the weak link.