Ip-Address

Definition

An IP address (short for **Internet Protocol address**) is a unique number assigned to a device on a network so it can send and receive data. Think of it like the street address for your computer — without it, other devices wouldn’t know where to deliver information.

There are two main versions in use:

* **IPv4** – Four numbers separated by dots, each between 0 and 255 (e.g., `192.168.1.10`). This is the older format and still the most common.
* **IPv6** – Eight groups of hexadecimal numbers separated by colons (e.g., `2001:0db8:85a3::8a2e:0370:7334`). Created to handle the shortage of IPv4 addresses and improve routing.

An IP address can be:

* **Public** – Assigned by your internet service provider so the outside world can communicate with your device or network.
* **Private** – Used inside local networks (like your home Wi-Fi) and not directly reachable from the internet.
* **Static** – Stays the same over time.
* **Dynamic** – Changes periodically, assigned by DHCP servers.

In cybersecurity investigations, IP addresses are critical clues. They can:

* Identify where network traffic originated or was sent
* Link malicious activity to known bad infrastructure
* Help pivot in threat intelligence databases to find related domains or attacks
* Reveal geolocation patterns (though attackers can use VPNs, proxies, or botnets to hide their real IP)

Real-world examples:

* Investigators tracing the 2016 Mirai botnet DDoS attack identified thousands of infected IoT devices by their IP addresses.
* Ransomware groups’ command-and-control servers are often found by following the IP addresses malware connects to.
* Threat intel feeds regularly publish lists of “known bad” IPs for blocking in firewalls.

Further reading:

* IETF – IPv4 Standard: [https://datatracker.ietf.org/doc/html/rfc791](https://datatracker.ietf.org/doc/html/rfc791)
* IETF – IPv6 Standard: [https://datatracker.ietf.org/doc/html/rfc8200](https://datatracker.ietf.org/doc/html/rfc8200)
* Cloudflare: What is an IP Address? – [https://www.cloudflare.com/learning/dns/what-is-my-ip-address/](https://www.cloudflare.com/learning/dns/what-is-my-ip-address/)
* Microsoft Learn – IP Addressing Basics: [https://learn.microsoft.com/en-us/windows-server/networking/technologies/ipam/what-s-new-ipam](https://learn.microsoft.com/en-us/windows-server/networking/technologies/ipam/what-s-new-ipam)

An IPv4 address is made up of **two main parts**: the **network portion** and the **host portion**.

* **Network portion** – Identifies the specific network the device belongs to (like the neighborhood)
* **Host portion** – Identifies the individual device within that network (like the house number)

Which bits belong to which part depends on the **subnet mask** (or prefix length).

Example:

```
IP address:   192.168.1.42
Subnet mask:  255.255.255.0   (/24)
```

* `192.168.1` → network portion
* `42` → host portion

IPv4 addresses are **32 bits long** and are usually written in **dotted decimal notation**:

```
11000000.10101000.00000001.00101010
192      .168     .1       .42
```

Each group (called an **octet**) is 8 bits, so there are four octets in total.

Quick breakdown of the parts:

1. **Octets** – The four numbers separated by dots, each ranging from 0–255.
2. **Binary representation** – How the address is stored and processed by computers.
3. **Network ID** – Determined by subnet mask; all devices on the same network share this part.
4. **Host ID** – Unique to each device within that network.

In investigations, understanding these parts helps you:

* Determine whether an IP is internal (private) or external (public)
* See if two IPs are on the same network
* Identify the scope of a potential compromise

Real-world example:
If your logs show traffic from `10.0.5.23` and `10.0.8.15`, and your subnet mask is `/16` (`255.255.0.0`), you know they’re on the same internal network — possibly both infected in the same incident.

Ip-Address

Definition

Explore More Terms