Solved

kill or disable an IP address over a network

Posted on 2003-10-29
37
2,468 Views
Last Modified: 2012-05-04
Hey guys.. I need an aswer asap,  How do I kill or disable an IP address over a network, using the dos command line or other?
0
Comment
Question by:Devario Johnson
37 Comments
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
What exactly are you trying to do? If you're trying to DOS someone, we can't help you.

0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Or perhaps more to the point, we WON'T help you if you're trying to DOS someone.
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
NO NO NO... we are having major network problems here at work, there are viruses running wild and there are machines here on the network killing it.  We need to disble the IP's to see if we can stop this.  We already disbled the machines in the active directory, but the problems are still coming.  we have over 5000 machines here and we need to do it this way...thank for any help I can get


        signed
a frustrated part time emplyee of Atlantis' IT department...
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
And we have ony 5 technitians working PC NT so we are trying to do it remotely.....
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
whoa when i said DOS i mean DOS PROMPT not DoS= denial of service!!!! lol lol
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 25 total points
Comment Utility
Physically remove them from the network...pull the network cable out of the infected machines.  Then while they are disconnected from the network you can patch them and clean the viruses.

Once the machines are clean and patched, plug them back into the network.

If you can't get to the machine phsyically...

You could shut down their switch port remotely but of course you would have to know which port they are attached to...
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 200 total points
Comment Utility
Oh, well, your problem is you're running a buggy, virus-ridden piece of garbage OS from Redmond.

But knowing that doesn't immediately help you, so let's see what we can do to shield you from the folly of whoever was stupid enough to have your entire business enterprise rely on Windoze.

Have you identified the virus? Do you know HOW it is moving around your network?

Do you have any firewalls with which you can isolate it?

If you've identified it, is there a patch available, and what patch deployment tools do you have available?

There's no real way to "disable" an IP address. You can DOS the machine using that address, crash its IP stack and it will quit talking. If you have a sufficiently sophisticated network infrastructure, you can isolate the infected machines at their local switch. If you're in a flat IP space and using static IP addressing, you could have uninfected machines steal the IP addresses of the infected ones. If you're in a DHCP environment, you could have the DHCP server refuse to lease an address to a MAC address that you have identified as an infected machine (you still are stuck with the issue of how to cancel their existing lease).

There are a number of ways to approach your situation, and the determination of what approach is most effective depends a lot of exactly how your network infrastructure is designed and built and what tools you have at your disposal. Without knowing a lot more, its difficult to be more specific.

Long term, perhaps this experience will serve as a business case for moving AWAY from a 100% Micro$oft environment. For your NOS, take a look at NetWare v6.5 (http://www.novell.com/netware). For desktop management and directory-enabled patch deployment, look at Novell ZENworks (http://www.novell.com/zenworks).
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
the problem is trying to find them...the macines are named but they are not where they are supposed to be in terms of location.  The networks is extemely big but we are on a flat network that isnt segmented.  [We are trying to upgrade soon :p]  therefore it is highly impossible to locate the macines physically, that is the reason why we are trying to kill the IP over the network.  We ahve the IP address but cant find the physical machine, but we have the IP address so If we can just disable it we hope that can work....ANY SUGGESTIONS???
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You could look in your routers ARP cache and find out the MAC address's of the infected machines.  Then locate the MAC address in your switch's MAC-address-table and match it to the switch port.  Once you know what switch port it is you can administratively shut it down.

No traffic will be allowed from the infected PC to the network.
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
ok We are on a DHCP environment and we just need the machine(s) disabled today.  i saw someoen use  a kill comand in dos but I cant remember what it is.  We want to do it this way because when it is disabled the person will call saying they cant use the network that way we can find out where it is...... THANKS FOR ANY HELP!!!!
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
im increasin points !!!!!!! WE NEED HELP!!!!
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Ooo....flat, unsegmented network. Bad news in your situation - there's no "border guards", no way to really control your network traffic. Every machine has uninhibited access to every other machine on the network.

Here's a solution - a bit drastic, but it may be the only practical approach. Shut down all your switches - at the port level if you can. Kill your network. Then go around machine to machine, clean/disinfect each one, apply the appropriate patches, and then bring its switch port back up and let it talk.

Its drastic, yes. It will sure as hell disrupt business operations. But given the environment you describe (100% M$, flat network, no segmenting, DHCP) it may be the only way to stop the malware spread.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Maybe you are thinking about this?

http://www.experts-exchange.com/Operating_Systems/Q_20702167.html

It references killing an established connection to a computer.  This will not help you though.  I would find their mac address and shut down their switch port...

0
 
LVL 16

Assisted Solution

by:Wadski
Wadski earned 50 total points
Comment Utility
use Command Prompt to message each machine in turn asking them to ring you.  Get as physical location for the machine and then isolate it on a VLAN and check its behaving.  Move onto next machine until everything is on new VLAN.  

Then remove VLAN and buy some AV software.

0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
Hey guy we cant shut down business operations cuz this is Atlantis the biggest hotel in the world.....we need another approach...PLEASE :D (sorry for sounding so demanding)
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Is Wadski's idea viable? Do you have VLAN capability? If you do, his idea is as good as any.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
How many physical locations are we talking about?  Is this in one building/campus or is this on a WAN?
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
it is on a WAN
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
700 locations
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
ok thanks for all the help right, but the bottom line comes to this....is there a command using the Dos prompt that will allow me to kill an IP address
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
How many locations? - you say you have 5 techs and are trying to fix this remotely. Looks like you're in a world of hurt.

As the others have indicated, individual turning off of IP addresses isn't exactly a common activity.  If these folx can't figure out a way, it's not likely there is one that will help you, so I am going in another direction here.

Do you have any kind of antivirus running?  Do you have any enterprise desktop management software, like Zen for Desktops or LanDesk Manager, that can force execution remotely?

Have you identified the virus?  Does it have a "cleaner" utility available?  Is it one that exploits specific Microsoft vulnerabilities that have been addressed in service packs or hotfixes?  Does it use any particular service?  If you have a desktop management utility, can you remotely disable services?
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Ah, I think I see what you're asking now.

Since you're in a DHCP environment, try the following in a DOS box:

ipconfig /release

That will cause the TCP/IP stack to give up its IP address assignment. At this juncture, TCP/IP is loaded but not bound to a specific adapter.
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
yah but is there a way we can do it REMOTELY
0
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
NO! There is no remote way to do this........you need to follow the advise of the good folks above and stop shouting....you are in a world of hurt and there is no easy way out of this ........you are going to have to id the problem machine and pyhsically isolate it.  If you have enterprise AV running, it should identify the machine for you.  There are network mapping tools that can scan your network and match ip addresses to mac addresses.  Beyond that, if you don't have any idea where particular machines are in your physical environment, you are going to have to isolate them one-by one until you find the problem machine.

And if a virus is responsible, it is very likely that the infection has spread far beyond one machine, given your system design and apparent lack of AV resources.

http://oldlook.experts-exchange.com/Networking/WinNT_Networking/Q_20781787.html
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Do you have any remote-control software loaded on the desktops?  

Without remote-control to the desktop (which would disconnect as soon as you kill IP) or enterprise desktop management software, you have no recourse.  Without one of those tools in place, there is no remote way, as JConchie said.

When you finally get this crisis cleaned up, you need to leverage it to get funding to purchase, install and implement several enterprise tools.  Enterprise A/V.  Enterprise desktop management.  Infrastructure reconfiguration.  Improved firewalling.  Corporate standard desktop configurations with lockdowns.  WAN redundancy/failover.

Like you said earlier, you can't afford to have your network out of service.  As Ben Franklin said, "an ounce of prevention is worth a pound of cure."  That means it's cheaper to avoid a problem than to fix an avoidable problem after the fact.
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
ok guys thanks for the help but I guess all is lost then...well have to do it one by one until something gives....We have mcgafee on all the machines by the way
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 75 total points
Comment Utility
Try solving it using the logon script.
Create a list with your bad IP addresses (one IP per line). Put it into your netlogon share. Put logoff.exe and sleep.exe from the resource kit in the netlogon share as well.
Put the script below at the beginning of your logon script.
If the machine that the user uses to log on has a "bad" IP, it will display the message asking the user to report in, and log the user right back off after two minutes.
When the user calls, note his whereabouts and his IP. To enable him to work again, simply delete his IP from the bad list. Once the list is empty, you have the position all the machines.

====8<----[logon.cmd]----
@echo off
setlocal
set BadIPList=%LogonServer%\netlogon\badip.txt
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "IP Address"') do set IP=%%a
set IP=%IP: =%
type "%BadIPList%" | find "%IP%" >NUL
if errorlevel 1 goto logon
net send %ComputerName% "Your computer (%IP%) is virus infected. Please call help desk at 555-5555 *immediately*. You will only be able to log on after you report in."
%logonserver%\netlogon\sleep.exe 120
%logonserver%\netlogon\logoff.exe /f /n

:logon
:: *** Put your regular logon script here:
====8<----[logon.cmd]----
0
 
LVL 1

Expert Comment

by:learath
Comment Utility
What type of switches are you running?  You can track mac from the ip, then block the MAC on most quality switches.  Contact me if you need help with Cisco switches, others I don't know well enough to help on.
0
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
Bravo oBdA!  That sounds like the very thing!
0
 
LVL 9

Assisted Solution

by:cooledit
cooledit earned 50 total points
Comment Utility
first thing to do kill (stop all running servers) SMTP espacially
0
 
LVL 1

Assisted Solution

by:GRiTech
GRiTech earned 25 total points
Comment Utility
Have you tried nbtstat -A xxx.xxx.xxx.xxx   where xxx is IPAdress   this should throw up the name of the person logged onto PC/s, who can then be contacted.

0
 
LVL 41

Assisted Solution

by:stevenlewis
stevenlewis earned 75 total points
Comment Utility
Bottom line is there is no easy way to fix this
your IT manager should be flogged LOL
You say you are using Mcafee, definitions up to date?
What virus/virii are we dealing with?
check into lansurveyor
http://www.neon.com/gglls.html
0
 

Expert Comment

by:n0c
Comment Utility
try running shutdown.exe and pass it the ip address of the machine you want to shutdown...should be easily batched
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
And I thought I was understaffed......
0
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
devarioj,

When you get a chance to come up for air, a report from you on how you and your four cohorts finally dealt with this mess........and what changes you plan to make to your network as a result of this experience would be much appreciated by all of us.

We may not have been much help to you here, but your experience may be valuable to others down the line.

Thanks,
hope it has worked out.
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
ok guys, this is what happened....it took a very long time...but we got it down to a managable few hundred computers distributing the virii.  We never got it eradicated though...and I have quit since then and im back in school...to make sure if omething like that happens again, I can handle it and get a big promotion while eveyone else is scratching thier heads....thanks for all the help though....
0
 
LVL 5

Author Comment

by:Devario Johnson
Comment Utility
ok guys here's the bottom line...becauses of all the help i recieved in this area im still going to award points...there's no reason why your efforts shouldnt go unrewarded...im bumping the points and sharing em out. :D
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now