Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3612
  • Last Modified:

kill or disable an IP address over a network

Hey guys.. I need an aswer asap,  How do I kill or disable an IP address over a network, using the dos command line or other?
0
Devario Johnson
Asked:
Devario Johnson
7 Solutions
 
PsiCopCommented:
What exactly are you trying to do? If you're trying to DOS someone, we can't help you.

0
 
PsiCopCommented:
Or perhaps more to the point, we WON'T help you if you're trying to DOS someone.
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
NO NO NO... we are having major network problems here at work, there are viruses running wild and there are machines here on the network killing it.  We need to disble the IP's to see if we can stop this.  We already disbled the machines in the active directory, but the problems are still coming.  we have over 5000 machines here and we need to do it this way...thank for any help I can get


        signed
a frustrated part time emplyee of Atlantis' IT department...
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Devario JohnsonSoftware EngineerAuthor Commented:
And we have ony 5 technitians working PC NT so we are trying to do it remotely.....
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
whoa when i said DOS i mean DOS PROMPT not DoS= denial of service!!!! lol lol
0
 
JFrederick29Commented:
Physically remove them from the network...pull the network cable out of the infected machines.  Then while they are disconnected from the network you can patch them and clean the viruses.

Once the machines are clean and patched, plug them back into the network.

If you can't get to the machine phsyically...

You could shut down their switch port remotely but of course you would have to know which port they are attached to...
0
 
PsiCopCommented:
Oh, well, your problem is you're running a buggy, virus-ridden piece of garbage OS from Redmond.

But knowing that doesn't immediately help you, so let's see what we can do to shield you from the folly of whoever was stupid enough to have your entire business enterprise rely on Windoze.

Have you identified the virus? Do you know HOW it is moving around your network?

Do you have any firewalls with which you can isolate it?

If you've identified it, is there a patch available, and what patch deployment tools do you have available?

There's no real way to "disable" an IP address. You can DOS the machine using that address, crash its IP stack and it will quit talking. If you have a sufficiently sophisticated network infrastructure, you can isolate the infected machines at their local switch. If you're in a flat IP space and using static IP addressing, you could have uninfected machines steal the IP addresses of the infected ones. If you're in a DHCP environment, you could have the DHCP server refuse to lease an address to a MAC address that you have identified as an infected machine (you still are stuck with the issue of how to cancel their existing lease).

There are a number of ways to approach your situation, and the determination of what approach is most effective depends a lot of exactly how your network infrastructure is designed and built and what tools you have at your disposal. Without knowing a lot more, its difficult to be more specific.

Long term, perhaps this experience will serve as a business case for moving AWAY from a 100% Micro$oft environment. For your NOS, take a look at NetWare v6.5 (http://www.novell.com/netware). For desktop management and directory-enabled patch deployment, look at Novell ZENworks (http://www.novell.com/zenworks).
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
the problem is trying to find them...the macines are named but they are not where they are supposed to be in terms of location.  The networks is extemely big but we are on a flat network that isnt segmented.  [We are trying to upgrade soon :p]  therefore it is highly impossible to locate the macines physically, that is the reason why we are trying to kill the IP over the network.  We ahve the IP address but cant find the physical machine, but we have the IP address so If we can just disable it we hope that can work....ANY SUGGESTIONS???
0
 
JFrederick29Commented:
You could look in your routers ARP cache and find out the MAC address's of the infected machines.  Then locate the MAC address in your switch's MAC-address-table and match it to the switch port.  Once you know what switch port it is you can administratively shut it down.

No traffic will be allowed from the infected PC to the network.
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
ok We are on a DHCP environment and we just need the machine(s) disabled today.  i saw someoen use  a kill comand in dos but I cant remember what it is.  We want to do it this way because when it is disabled the person will call saying they cant use the network that way we can find out where it is...... THANKS FOR ANY HELP!!!!
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
im increasin points !!!!!!! WE NEED HELP!!!!
0
 
PsiCopCommented:
Ooo....flat, unsegmented network. Bad news in your situation - there's no "border guards", no way to really control your network traffic. Every machine has uninhibited access to every other machine on the network.

Here's a solution - a bit drastic, but it may be the only practical approach. Shut down all your switches - at the port level if you can. Kill your network. Then go around machine to machine, clean/disinfect each one, apply the appropriate patches, and then bring its switch port back up and let it talk.

Its drastic, yes. It will sure as hell disrupt business operations. But given the environment you describe (100% M$, flat network, no segmenting, DHCP) it may be the only way to stop the malware spread.
0
 
JFrederick29Commented:
Maybe you are thinking about this?

http://www.experts-exchange.com/Operating_Systems/Q_20702167.html

It references killing an established connection to a computer.  This will not help you though.  I would find their mac address and shut down their switch port...

0
 
WadskiIT DirectorCommented:
use Command Prompt to message each machine in turn asking them to ring you.  Get as physical location for the machine and then isolate it on a VLAN and check its behaving.  Move onto next machine until everything is on new VLAN.  

Then remove VLAN and buy some AV software.

0
 
Devario JohnsonSoftware EngineerAuthor Commented:
Hey guy we cant shut down business operations cuz this is Atlantis the biggest hotel in the world.....we need another approach...PLEASE :D (sorry for sounding so demanding)
0
 
PsiCopCommented:
Is Wadski's idea viable? Do you have VLAN capability? If you do, his idea is as good as any.
0
 
ShineOnCommented:
How many physical locations are we talking about?  Is this in one building/campus or is this on a WAN?
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
it is on a WAN
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
700 locations
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
ok thanks for all the help right, but the bottom line comes to this....is there a command using the Dos prompt that will allow me to kill an IP address
0
 
ShineOnCommented:
How many locations? - you say you have 5 techs and are trying to fix this remotely. Looks like you're in a world of hurt.

As the others have indicated, individual turning off of IP addresses isn't exactly a common activity.  If these folx can't figure out a way, it's not likely there is one that will help you, so I am going in another direction here.

Do you have any kind of antivirus running?  Do you have any enterprise desktop management software, like Zen for Desktops or LanDesk Manager, that can force execution remotely?

Have you identified the virus?  Does it have a "cleaner" utility available?  Is it one that exploits specific Microsoft vulnerabilities that have been addressed in service packs or hotfixes?  Does it use any particular service?  If you have a desktop management utility, can you remotely disable services?
0
 
PsiCopCommented:
Ah, I think I see what you're asking now.

Since you're in a DHCP environment, try the following in a DOS box:

ipconfig /release

That will cause the TCP/IP stack to give up its IP address assignment. At this juncture, TCP/IP is loaded but not bound to a specific adapter.
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
yah but is there a way we can do it REMOTELY
0
 
JConchieCommented:
NO! There is no remote way to do this........you need to follow the advise of the good folks above and stop shouting....you are in a world of hurt and there is no easy way out of this ........you are going to have to id the problem machine and pyhsically isolate it.  If you have enterprise AV running, it should identify the machine for you.  There are network mapping tools that can scan your network and match ip addresses to mac addresses.  Beyond that, if you don't have any idea where particular machines are in your physical environment, you are going to have to isolate them one-by one until you find the problem machine.

And if a virus is responsible, it is very likely that the infection has spread far beyond one machine, given your system design and apparent lack of AV resources.

http://oldlook.experts-exchange.com/Networking/WinNT_Networking/Q_20781787.html
0
 
ShineOnCommented:
Do you have any remote-control software loaded on the desktops?  

Without remote-control to the desktop (which would disconnect as soon as you kill IP) or enterprise desktop management software, you have no recourse.  Without one of those tools in place, there is no remote way, as JConchie said.

When you finally get this crisis cleaned up, you need to leverage it to get funding to purchase, install and implement several enterprise tools.  Enterprise A/V.  Enterprise desktop management.  Infrastructure reconfiguration.  Improved firewalling.  Corporate standard desktop configurations with lockdowns.  WAN redundancy/failover.

Like you said earlier, you can't afford to have your network out of service.  As Ben Franklin said, "an ounce of prevention is worth a pound of cure."  That means it's cheaper to avoid a problem than to fix an avoidable problem after the fact.
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
ok guys thanks for the help but I guess all is lost then...well have to do it one by one until something gives....We have mcgafee on all the machines by the way
0
 
oBdACommented:
Try solving it using the logon script.
Create a list with your bad IP addresses (one IP per line). Put it into your netlogon share. Put logoff.exe and sleep.exe from the resource kit in the netlogon share as well.
Put the script below at the beginning of your logon script.
If the machine that the user uses to log on has a "bad" IP, it will display the message asking the user to report in, and log the user right back off after two minutes.
When the user calls, note his whereabouts and his IP. To enable him to work again, simply delete his IP from the bad list. Once the list is empty, you have the position all the machines.

====8<----[logon.cmd]----
@echo off
setlocal
set BadIPList=%LogonServer%\netlogon\badip.txt
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "IP Address"') do set IP=%%a
set IP=%IP: =%
type "%BadIPList%" | find "%IP%" >NUL
if errorlevel 1 goto logon
net send %ComputerName% "Your computer (%IP%) is virus infected. Please call help desk at 555-5555 *immediately*. You will only be able to log on after you report in."
%logonserver%\netlogon\sleep.exe 120
%logonserver%\netlogon\logoff.exe /f /n

:logon
:: *** Put your regular logon script here:
====8<----[logon.cmd]----
0
 
learathCommented:
What type of switches are you running?  You can track mac from the ip, then block the MAC on most quality switches.  Contact me if you need help with Cisco switches, others I don't know well enough to help on.
0
 
JConchieCommented:
Bravo oBdA!  That sounds like the very thing!
0
 
cooleditCommented:
first thing to do kill (stop all running servers) SMTP espacially
0
 
GRiTechCommented:
Have you tried nbtstat -A xxx.xxx.xxx.xxx   where xxx is IPAdress   this should throw up the name of the person logged onto PC/s, who can then be contacted.

0
 
stevenlewisCommented:
Bottom line is there is no easy way to fix this
your IT manager should be flogged LOL
You say you are using Mcafee, definitions up to date?
What virus/virii are we dealing with?
check into lansurveyor
http://www.neon.com/gglls.html
0
 
n0cCommented:
try running shutdown.exe and pass it the ip address of the machine you want to shutdown...should be easily batched
0
 
WiiredCommented:
And I thought I was understaffed......
0
 
JConchieCommented:
devarioj,

When you get a chance to come up for air, a report from you on how you and your four cohorts finally dealt with this mess........and what changes you plan to make to your network as a result of this experience would be much appreciated by all of us.

We may not have been much help to you here, but your experience may be valuable to others down the line.

Thanks,
hope it has worked out.
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
ok guys, this is what happened....it took a very long time...but we got it down to a managable few hundred computers distributing the virii.  We never got it eradicated though...and I have quit since then and im back in school...to make sure if omething like that happens again, I can handle it and get a big promotion while eveyone else is scratching thier heads....thanks for all the help though....
0
 
Devario JohnsonSoftware EngineerAuthor Commented:
ok guys here's the bottom line...becauses of all the help i recieved in this area im still going to award points...there's no reason why your efforts shouldnt go unrewarded...im bumping the points and sharing em out. :D
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now