kill or disable an IP address over a network

Hey guys.. I need an aswer asap,  How do I kill or disable an IP address over a network, using the dos command line or other?
Devario JohnsonSoftware EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What exactly are you trying to do? If you're trying to DOS someone, we can't help you.

Or perhaps more to the point, we WON'T help you if you're trying to DOS someone.
Devario JohnsonSoftware EngineerAuthor Commented:
NO NO NO... we are having major network problems here at work, there are viruses running wild and there are machines here on the network killing it.  We need to disble the IP's to see if we can stop this.  We already disbled the machines in the active directory, but the problems are still coming.  we have over 5000 machines here and we need to do it this way...thank for any help I can get

a frustrated part time emplyee of Atlantis' IT department...
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

Devario JohnsonSoftware EngineerAuthor Commented:
And we have ony 5 technitians working PC NT so we are trying to do it remotely.....
Devario JohnsonSoftware EngineerAuthor Commented:
whoa when i said DOS i mean DOS PROMPT not DoS= denial of service!!!! lol lol
Physically remove them from the network...pull the network cable out of the infected machines.  Then while they are disconnected from the network you can patch them and clean the viruses.

Once the machines are clean and patched, plug them back into the network.

If you can't get to the machine phsyically...

You could shut down their switch port remotely but of course you would have to know which port they are attached to...
Oh, well, your problem is you're running a buggy, virus-ridden piece of garbage OS from Redmond.

But knowing that doesn't immediately help you, so let's see what we can do to shield you from the folly of whoever was stupid enough to have your entire business enterprise rely on Windoze.

Have you identified the virus? Do you know HOW it is moving around your network?

Do you have any firewalls with which you can isolate it?

If you've identified it, is there a patch available, and what patch deployment tools do you have available?

There's no real way to "disable" an IP address. You can DOS the machine using that address, crash its IP stack and it will quit talking. If you have a sufficiently sophisticated network infrastructure, you can isolate the infected machines at their local switch. If you're in a flat IP space and using static IP addressing, you could have uninfected machines steal the IP addresses of the infected ones. If you're in a DHCP environment, you could have the DHCP server refuse to lease an address to a MAC address that you have identified as an infected machine (you still are stuck with the issue of how to cancel their existing lease).

There are a number of ways to approach your situation, and the determination of what approach is most effective depends a lot of exactly how your network infrastructure is designed and built and what tools you have at your disposal. Without knowing a lot more, its difficult to be more specific.

Long term, perhaps this experience will serve as a business case for moving AWAY from a 100% Micro$oft environment. For your NOS, take a look at NetWare v6.5 ( For desktop management and directory-enabled patch deployment, look at Novell ZENworks (

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Devario JohnsonSoftware EngineerAuthor Commented:
the problem is trying to find them...the macines are named but they are not where they are supposed to be in terms of location.  The networks is extemely big but we are on a flat network that isnt segmented.  [We are trying to upgrade soon :p]  therefore it is highly impossible to locate the macines physically, that is the reason why we are trying to kill the IP over the network.  We ahve the IP address but cant find the physical machine, but we have the IP address so If we can just disable it we hope that can work....ANY SUGGESTIONS???
You could look in your routers ARP cache and find out the MAC address's of the infected machines.  Then locate the MAC address in your switch's MAC-address-table and match it to the switch port.  Once you know what switch port it is you can administratively shut it down.

No traffic will be allowed from the infected PC to the network.
Devario JohnsonSoftware EngineerAuthor Commented:
ok We are on a DHCP environment and we just need the machine(s) disabled today.  i saw someoen use  a kill comand in dos but I cant remember what it is.  We want to do it this way because when it is disabled the person will call saying they cant use the network that way we can find out where it is...... THANKS FOR ANY HELP!!!!
Devario JohnsonSoftware EngineerAuthor Commented:
im increasin points !!!!!!! WE NEED HELP!!!!
Ooo....flat, unsegmented network. Bad news in your situation - there's no "border guards", no way to really control your network traffic. Every machine has uninhibited access to every other machine on the network.

Here's a solution - a bit drastic, but it may be the only practical approach. Shut down all your switches - at the port level if you can. Kill your network. Then go around machine to machine, clean/disinfect each one, apply the appropriate patches, and then bring its switch port back up and let it talk.

Its drastic, yes. It will sure as hell disrupt business operations. But given the environment you describe (100% M$, flat network, no segmenting, DHCP) it may be the only way to stop the malware spread.
Maybe you are thinking about this?

It references killing an established connection to a computer.  This will not help you though.  I would find their mac address and shut down their switch port...

WadskiIT DirectorCommented:
use Command Prompt to message each machine in turn asking them to ring you.  Get as physical location for the machine and then isolate it on a VLAN and check its behaving.  Move onto next machine until everything is on new VLAN.  

Then remove VLAN and buy some AV software.

Devario JohnsonSoftware EngineerAuthor Commented:
Hey guy we cant shut down business operations cuz this is Atlantis the biggest hotel in the world.....we need another approach...PLEASE :D (sorry for sounding so demanding)
Is Wadski's idea viable? Do you have VLAN capability? If you do, his idea is as good as any.
How many physical locations are we talking about?  Is this in one building/campus or is this on a WAN?
Devario JohnsonSoftware EngineerAuthor Commented:
it is on a WAN
Devario JohnsonSoftware EngineerAuthor Commented:
700 locations
Devario JohnsonSoftware EngineerAuthor Commented:
ok thanks for all the help right, but the bottom line comes to there a command using the Dos prompt that will allow me to kill an IP address
How many locations? - you say you have 5 techs and are trying to fix this remotely. Looks like you're in a world of hurt.

As the others have indicated, individual turning off of IP addresses isn't exactly a common activity.  If these folx can't figure out a way, it's not likely there is one that will help you, so I am going in another direction here.

Do you have any kind of antivirus running?  Do you have any enterprise desktop management software, like Zen for Desktops or LanDesk Manager, that can force execution remotely?

Have you identified the virus?  Does it have a "cleaner" utility available?  Is it one that exploits specific Microsoft vulnerabilities that have been addressed in service packs or hotfixes?  Does it use any particular service?  If you have a desktop management utility, can you remotely disable services?
Ah, I think I see what you're asking now.

Since you're in a DHCP environment, try the following in a DOS box:

ipconfig /release

That will cause the TCP/IP stack to give up its IP address assignment. At this juncture, TCP/IP is loaded but not bound to a specific adapter.
Devario JohnsonSoftware EngineerAuthor Commented:
yah but is there a way we can do it REMOTELY
NO! There is no remote way to do need to follow the advise of the good folks above and stop are in a world of hurt and there is no easy way out of this are going to have to id the problem machine and pyhsically isolate it.  If you have enterprise AV running, it should identify the machine for you.  There are network mapping tools that can scan your network and match ip addresses to mac addresses.  Beyond that, if you don't have any idea where particular machines are in your physical environment, you are going to have to isolate them one-by one until you find the problem machine.

And if a virus is responsible, it is very likely that the infection has spread far beyond one machine, given your system design and apparent lack of AV resources.
Do you have any remote-control software loaded on the desktops?  

Without remote-control to the desktop (which would disconnect as soon as you kill IP) or enterprise desktop management software, you have no recourse.  Without one of those tools in place, there is no remote way, as JConchie said.

When you finally get this crisis cleaned up, you need to leverage it to get funding to purchase, install and implement several enterprise tools.  Enterprise A/V.  Enterprise desktop management.  Infrastructure reconfiguration.  Improved firewalling.  Corporate standard desktop configurations with lockdowns.  WAN redundancy/failover.

Like you said earlier, you can't afford to have your network out of service.  As Ben Franklin said, "an ounce of prevention is worth a pound of cure."  That means it's cheaper to avoid a problem than to fix an avoidable problem after the fact.
Devario JohnsonSoftware EngineerAuthor Commented:
ok guys thanks for the help but I guess all is lost then...well have to do it one by one until something gives....We have mcgafee on all the machines by the way
Try solving it using the logon script.
Create a list with your bad IP addresses (one IP per line). Put it into your netlogon share. Put logoff.exe and sleep.exe from the resource kit in the netlogon share as well.
Put the script below at the beginning of your logon script.
If the machine that the user uses to log on has a "bad" IP, it will display the message asking the user to report in, and log the user right back off after two minutes.
When the user calls, note his whereabouts and his IP. To enable him to work again, simply delete his IP from the bad list. Once the list is empty, you have the position all the machines.

@echo off
set BadIPList=%LogonServer%\netlogon\badip.txt
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "IP Address"') do set IP=%%a
set IP=%IP: =%
type "%BadIPList%" | find "%IP%" >NUL
if errorlevel 1 goto logon
net send %ComputerName% "Your computer (%IP%) is virus infected. Please call help desk at 555-5555 *immediately*. You will only be able to log on after you report in."
%logonserver%\netlogon\sleep.exe 120
%logonserver%\netlogon\logoff.exe /f /n

:: *** Put your regular logon script here:
What type of switches are you running?  You can track mac from the ip, then block the MAC on most quality switches.  Contact me if you need help with Cisco switches, others I don't know well enough to help on.
Bravo oBdA!  That sounds like the very thing!
first thing to do kill (stop all running servers) SMTP espacially
GRiTechIT EngineerCommented:
Have you tried nbtstat -A   where xxx is IPAdress   this should throw up the name of the person logged onto PC/s, who can then be contacted.

Bottom line is there is no easy way to fix this
your IT manager should be flogged LOL
You say you are using Mcafee, definitions up to date?
What virus/virii are we dealing with?
check into lansurveyor
try running shutdown.exe and pass it the ip address of the machine you want to shutdown...should be easily batched
And I thought I was understaffed......

When you get a chance to come up for air, a report from you on how you and your four cohorts finally dealt with this mess........and what changes you plan to make to your network as a result of this experience would be much appreciated by all of us.

We may not have been much help to you here, but your experience may be valuable to others down the line.

hope it has worked out.
Devario JohnsonSoftware EngineerAuthor Commented:
ok guys, this is what took a very long time...but we got it down to a managable few hundred computers distributing the virii.  We never got it eradicated though...and I have quit since then and im back in make sure if omething like that happens again, I can handle it and get a big promotion while eveyone else is scratching thier heads....thanks for all the help though....
Devario JohnsonSoftware EngineerAuthor Commented:
ok guys here's the bottom line...becauses of all the help i recieved in this area im still going to award points...there's no reason why your efforts shouldnt go bumping the points and sharing em out. :D
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.