The results of an excellent study made, for reasons that will become clear, by an anonymous author reaches this conclusion:
So, how big is the Internet?
That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.
Notice that, of the roughly 4 billion possible IPv4 addresses, less than half appear to be "owned" by somebody and only 591 million appear to be active.
The problem is, to make the study, the author created a botnet - that is he wrote a small program that took advantage of insecure devices to enlist additional machines to help in the study. What is amazing (if you are not a security researcher) is the extent to which he was able to coop insecure devices testing only four name/password combinations, e.g. root:root, admin:admin and both without passwords.
This is very valuable research and it was apparently done without causing anyone any harm. None-the-less, the US government has treated this kind of research as a crime in the past even before all the cyber security laws of the past decade. So I hope this researcher anonymity holds.