Showing papers on "DDoS mitigation published in 2019"

Cochain-SC: An Intra- and Inter-Domain Ddos Mitigation Scheme Based on Blockchain Using SDN and Smart Contract

Abstract: With the exponential growth in the number of insecure devices, the impact of Distributed Denial-of-Service (DDoS) attacks is growing rapidly. Existing DDoS mitigation schemes are facing obstacles due to low flexibility, lack of resources, and high cost. The new emerging technologies, such as blockchain, introduce new opportunities for low-cost, efficient and flexible DDoS attacks mitigation across multiple domains. In this paper, we propose a blockchain-based approach, called Cochain-SC, which combines two levels of mitigation, intra-domain and inter-domain DDoS mitigation. For intra-domain, we propose an effective DDoS mitigation method in the context of software defined networks (SDN); it consists of three schemes: (1) Intra Entropy-based scheme (I-ES) to measure, using sFlow, the randomness of data inside the domain; (2) Intra Bayes-based scheme (I-BS) to classify, based on entropy values, illegitimate flows; and (3) Intra-domain Mitigation (I-DM) scheme to effectively mitigate illegitimate flows inside the domain. For inter-domain, we propose a collaborative DDoS mitigation scheme based on blockchain; it uses the concept of smart contracts (i.e., Ethereum’s smart contracts) to facilitate the collaboration among SDN-based domains (i.e., Autonomous System: AS) to mitigate DDoS attacks. For this aim, we design a novel and secure scheme that allows multiple SDN-based domains to securely collaborate and transfer attack information in a decentralized manner. Combining intra- and inter-domain DDoS mitigation, Cochain-SC allows an efficient mitigation along the path of an ongoing attack and an effective mitigation near the origin of the attack. This allows reducing the enormous cost of forwarding packets, across multiple domains, which consist mostly of useless amplified attack traffic. To the best of our knowledge, Cochain-SC is the first scheme that proposes to deal with both intra-domain and inter-domain DDoS attacks mitigation combining SDN, blockchain and smart contract. The implementation of Cochain-SC is deployed on Ethereum official test network Ropsten. Moreover, we conducted extensive experiments to evaluate our proposed approach; the experimental results show that Cochain-SC achieves flexibility, efficiency, security, cost effectiveness, and high accuracy in detecting illegitimate flows, making it a promising approach to mitigate DDoS attacks.

Co-IoT: A Collaborative DDoS Mitigation Scheme in IoT Environment Based on Blockchain Using SDN

Abstract: The recent proliferation of Internet of Things (IoT) is paving the way for the emergence of smart cities, where billions of IoT devices are interconnected to provide novel pervasive services and automate our daily lives tasks (e.g., smart healthcare, smart home). However, as the number of insecure IoT devices continues to grow at a rapid rate, the impact of Distributed Denial-of-Service (DDoS) attacks is growing rapidly. With the advent of IoT botnets such as Mirai, the view towards IoT has changed from enabler of smart cities into a powerful amplifying tool for cyberattacks. This motivates the development of new techniques to provide flexibility and efficiency of decision making on the attack collaboration in a software defined networks (SDN) context. The new emerging technologies, such as SDN and blockchain, introduce new opportunities for low-cost, efficient and flexible DDoS attacks collaboration for the IoT based environment. In this paper, we propose Co-IoT, a blockchain-based framework for collaborative DDoS mitigation; it uses the concept of smart contracts (i.e., Ethereum's smart contracts) to facilitate the collaboration among SDN-based domains and transfer attacks information in a decentralized manner. The implementation of Co-IoT is deployed on Ethereum official test network Ropsten [1]. The experimental results confirm that Co-IoT achieves flexibility, efficiency, security and cost effectiveness making it a promising approach to mitigate large scale DDoS attacks.

Fuzzy self organizing maps-based DDoS mitigation mechanism for software defined networking in cloud computing

Abstract: The characteristic features of cloud computing deployment make it highly vulnerable to distributed denial of service (DDoS) attacks. The recent advancement in software-defined networking (SDN) enhances the possibilities for defeating DDoS attacks in cloud computing environments. This option to improve the probability of defeating DDoS attacks is made feasible through the striking features of SDN that include their capability for software-oriented traffic investigation, network global dimension, dynamically updating forwarding rules and centralized point of control. This paper presents a Fuzzy self organizing maps-based DDOS mitigation (FSOMDM) technique that is ideally and suitably designed for improving the SDN capabilities of cloud computing. FSOMDM is the enhanced neural network model that effectively replaces the neurons of the traditional Kohonen neural network model through updating fuzzy rules. The property of software-oriented traffic investigation is utilized in this process and the fuzzy rule is used for exploring the dimension of input space from which a single valued output is derived for enabling the mitigation of DDoS. In addition, FSOMDM incorporates an attack-response process that possesses the significance of dropping attack flows through its enforcement in the control plane of SDN. The performance investigation of FSOMDM confirms its significance by facilitating nearly 94% of classifier accuracy evaluated in terms of true positive rate (TPR).

Introducing SmartNICs in Server-Based Data Plane Processing: The DDoS Mitigation Use Case

Abstract: In the recent years, the complexity of the network data plane and their requirements in terms of agility has increased significantly, with many network functions now implemented in software and executed directly in datacenter servers. To avoid bottlenecks and to keep up with the ever increasing network speeds, recent approaches propose to move the software packet processing in kernel space using technologies such as eBPF/XDP, or to offload (part of it) in specialized hardware, the so called SmartNICs. This paper aims at guiding the reader through the intricacies of the above mentioned technologies, leveraging SmartNICs to build a more efficient processing pipeline and providing concrete insights on their usage for a specific use case, namely, the mitigation of Distributed Denial of Service (DDoS) attacks. In particular, we enhance the mitigation capabilities of edge servers by transparently offloading a portion of DDoS mitigation rules in the SmartNIC, thus achieving a balanced combination of the XDP flexibility in operating traffic sampling and aggregation in the kernel, with the performance of hardware-based filtering. We evaluate the performance in different combinations of host and SmartNIC-based mitigation, showing that offloading part of the DDoS network function in the SmartNIC can indeed optimize the packet processing but only if combined with additional processing on the host kernel space.

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs

Abstract: Large Distributed Denial-of-Service (DDoS) attacks pose a major threat not only to end systems but also to the Internet infrastructure as a whole. Remote Triggered Black Hole filtering (RTBH) has been established as a tool to mitigate inter-domain DDoS attacks by discarding unwanted traffic early in the network, e.g., at Internet eXchange Points (IXPs). As of today, little is known about the kind and effectiveness of its use, and about the need for more fine-grained filtering.In this paper, we present the first in-depth statistical analysis of all RTBH events at a large European IXP by correlating measurements of the data and the control plane for a period of 104 days. We identify a surprising practice that significantly deviates from the expected mitigation use patterns. First, we show that only one third of all 34k visible RTBH events correlate with indicators of DDoS attacks. Second, we witness over 2000 blackhole events announced for prefixes not of servers but of clients situated in DSL networks. Third, we find that blackholing on average causes dropping of only 50% of the unwanted traffic and is hence a much less reliable tool for mitigating DDoS attacks than expected. Our analysis gives also rise to first estimates of the collateral damage caused by RTBH-based DDoS mitigation.

A Collaborative DDoS Mitigation Solution Based on Ethereum Smart Contract and RNN-LSTM

Abstract: Recently Distributed Denial-of-Service (DDoS) are becoming more and more sophisticated, which makes the existing defence systems not capable of tolerating by themselves against wide-ranging attacks. Thus, collaborative protection mitigation has become a needed alternative to extend defence mechanisms. However, the existing coordinated DDoS mitigation approaches either they require a complex configuration or are highly-priced. Blockchain technology offers a solution that reduces the complexity of signalling DDoS system, as well as a platform where many autonomous systems (Ass) can share hardware resources and defence capabilities for an effective DDoS defence. In this work, we also used a Deep learning DDoS detection system; we identify individual DDoS attack class and also define whether the incoming traffic is legitimate or attack. By classifying the attack traffic flow separately, our proposed mitigation technique could deny only the specific traffic causing the attack, instead of blocking all the traffic coming towards the victim(s).

Dynamic Threshold for DDoS Mitigation in SDN Environment

Abstract: Software-Defined Networking (SDN) is one of the key technologies of 5th generation mobile networks (5G). However, like the traditional network architecture, SDN is also vulnerable to the Distributed Denial of Service (DDoS) attack. This paper explores the dynamic threshold for DDoS attack in the SDN environment. Through the characteristics of SDN, we propose a feasible DDoS detection and defense mechanism. The proposed mechanism calculates the entropy of the network environment by the collected traffic status, and derives a dynamic threshold according to the network conditions to determine whether the environment is subject to DDoS attacks. In the event of a DDoS attack, the proposed mechanism discards the traffic from the malicious nodes to the victim nodes with a flow entry. In addition, if no DDoS attacks occur in the environment, the proposed system can disperse the traffic of the SDN switch, thereby balance the traffic load in the environment.

DDoS Attacks—Analysis and Prevention

Abstract: Distributed Denial-of-Service (DDoS) attacks overwhelm the critical resources of a target server in order to reject its services to the legitimate clients and attack mainly on the availability in the Confidentiality Integrity Availability (CIA) triad in Internet-based applications. In this paper, we analyze three major components of DDoS defense mechanisms such as DDoS detection, DDoS mitigation, and IP traceback. In the first step, we need to detect all DDoS attacks using any intrusion detection system to pinpoint the exact packet characteristics of the attack. We classify the attack traffic based on packet characteristics. The classification can lead to mitigate an attack. Mitigation scheme uses rate limits and filters the malicious packets. IP traceback is capable of tracing IP packets to their sources without depending upon source address field of the IP header. IP traceback mechanisms are used to identify true source address and to refuse spoofed IP addresses. Finally, in this paper we proposed a novel mechanism to defend DDoS attacks at network layer and application layer.

Distributed Denial Of Service(DDoS) Mitigation in Software Defined Network using Blockchain

Abstract: A DDoS attack is a spiteful attempt to disrupt legitimate traffic to a server by overwhelming the target with a flood of requests from geographically dispersed systems. Today attackers prefer DDoS attack methods to disrupt target services as they generate GBs to TBs of random data to flood the target. In existing mitigation strategies, because of lack of resources and not having the flexibility to cope with attacks by themselves, they are not considered to be that effective. So effective DDoS mitigation techniques can be provided using emerging technologies such as blockchain and SDN(Software-Defined Networking). We propose an architecture where a smart contract is deployed in a private blockchain, which facilitates a collaborative DDoS mitigation architecture across multiple network domains. Blockchain application is used as an additional security service. With Blockchain, shared protection is enabled among all hosts. With help of smart contracts, rules are distributed among all hosts. In addition, SDN can effectively enable services and security policies dynamically. This mechanism provides ASes(Autonomous Systems) the possibility to deploy their own DPS(DDoS Prevention Service) and there is no need to transfer control of the network to the third party. This paper focuses on the challenges of protecting a hybridized enterprise from the ravages of rapidly evolving Distributed Denial of Service(DDoS) attack.

Accelerated DDoS Attacks Mitigation using Programmable Data Plane

Abstract: DDoS attacks are a significant threat to internet service or infrastructure providers. This poster presents an FPGA-accelerated device and DDoS mitigation technique to overcome such attacks. Our work addresses amplification attacks whose goal is to generate enough traffic to saturate the victims links. The main idea of the device is to efficiently filter malicious traffic at high-speeds directly in the backbone infrastructure before it even reaches the victim's network. We implemented our solution for two FPGA platforms using the high-level description in P4, and we report on its performance in terms of throughput and hardware resources.

Security Management and Visualization in a Blockchain-based Collaborative Defense

Abstract: A cooperative network defense is one approach to fend off large-scale Distributed Denial-of-Service (DDoS) attacks. In this regard, the Blockchain Signaling System (BloSS) is a multi-domain, blockchain-based, cooperative DDoS defense system, where each Autonomous System (AS) is taking part in the defense alliance. Each AS can exchange attack information about ongoing attacks via the Ethereum blockchain. However, the currently operational implementation of BloSS is not interactive or visualized, but the DDoS mitigation is automated. In realworld defense systems, a human cybersecurity analyst decides whether a DDoS threat should be mitigated or not. Thus, this work presents the design of a security management dashboard for BloSS, designed for interactive use by cyber security analysts.

Analyzing the Vulnerabilities Introduced by DDoS Mitigation Techniques for Software-Defined Networks

Abstract: Software defined networking facilitates better network management by decoupling the data and control planes of legacy routers and switches and is widely adopted in data center and production networks. The decoupling of control and data planes facilitates more optimal network management and deployment of elaborate security mechanisms, but also introduces new vulnerabilities which could be exploited using distributed denial of service (DDoS) attacks. In this paper, we identify several protocol vulnerabilities and resource limitations that are exploited by DDoS attacks. We also analyze the vulnerabilities introduced by several DDoS mitigation techniques, discuss attacks that exploit them, and quantify their impact on the network performance using experiments on a 5-node testbed. We show an approach to mitigate such vulnerabilities while minimizing the introduction of any exploitable vulnerabilities.

20 Years of DDoS: a Call to Action.

Abstract: Botnet Distributed Denial of Service (DDoS) attacks are now 20 years old; what has changed in that time? Their disruptive presence, their volume, distribution across the globe, and the relative ease of launching them have all been trending in favor of attackers. Our increases in network capacity and our architectural design principles are making our online world richer, but are favoring attackers at least as much as Internet services. The DDoS mitigation techniques have been evolving but they are losing ground to the increasing sophistication and diversification of the attacks that have moved from the network to the application level, and we are operationally falling behind attackers. It is time to ask fundamental questions: are there core design issues in our network architecture that fundamentally enable DDoS attacks? How can our network infrastructure be enhanced to address the principles that enable the DDoS problem? How can we incentivize the development and deployment of the necessary changes? In this article, we want to sound an alarm and issue a call to action to the research community. We propose that basic research and principled analyses are badly needed, because the status quo does not paint a pretty picture for the future.

Expect More from the Networking: DDoS Mitigation by FITT in Named Data Networking

Abstract: Distributed Denial of Service (DDoS) attacks have plagued the Internet for decades, but the basic defense approaches have not fundamentally changed. Rather, the size and rate of growth in attacks have actually outpaced carriers' and DDoS mitigation services' growth, calling for new solutions that can be, partially or fully, deployed imminently and exhibit effectiveness. In this paper, we examine the basic functions in Named Data Networking (NDN), a newly proposed Internet architecture, that can address the principle weaknesses in today's IP networks. We demonstrate by a new DDoS mitigation solution over NDN, Fine-grained Interest Traffic Throttling FITT, that NDN's architectural changes, even when incrementally deployed, can make DDoS attacks fundamentally more difficult to launch and less effective. FITT leverages the NDN design to enable the network to detect DDoS from victim's feedback, throttles DDoS traffic by reverse its exact paths through the network, and enforces control over the misbehaving entities at their sources. Our extensive simulation results show that FITT can throttle attack traffic with one-way time delay from the victim to the NDN gateway; upon activation, FITT effectively stop attack traffic from impacting benign flows, resulting in over 99\% of packets reaching victims being legitimate ones. We further demonstrate that service providers may implement NDN/FITT on existing CDN nodes as an incrementally deployable solution to effectuate the application level remediation at the sources, which remains unattainable in today's DDoS mitigation approaches.

DDoS Mitigation in Eucalyptus Cloud Platform Using Snort and Packet Filtering — IP-Tables

Abstract: Cloud Computing is technologically the emerging trend of providing computational resources on demand, may that be storage, network or computation, it encompasses all. The resources can be provided by private, public or a hybrid cloud. Cloud computing is the future of computing and is struggling with the concern of security. Among all security concerns, the Distributed Denial of Service (DDoS) attack is one of the biggest threats to both Internet Security and to Cloud as well. A sizable amount of bots is indulged in the creation of DDoS attacks on a Cloud target by flooding them with malformed packets to exhaust the resources. On the other hand, Economic Denial of Sustainability (EDoS) is a new threat to Cloud security which exploits the cloud elasticity and auto-scaling features and charges the user way too high; thus making economically a theft in it. Public cloud is less prone to attacks as they have inbuilt load balancers and mitigation setups. A private cloud like Eucalyptus is more vulnerable to DDoS attacks as they have lesser defense setups. To overcome these issues we propose a system of DDoS mitigation using Snort for DDoS detection and Packet Filtering IP-Tables in Private cloud set up of Eucalyptus. It acts as our defensive front. This way, our cloud gets saved from DDoS attack without it being burdened with the excess traffic.

DDoS Mitigation and Intrusion Prevention in Content Delivery Networks using Distributed Virtual Honeypots

Abstract: Content Delivery Networks(CDN) is a standout amongst the most encouraging innovations that upgrade performance for its clients’ websites by diverting web demands from browsers to topographically dispersed CDN surrogate nodes. However, due to the variable nature of CDN, it suffers from various security and resource allocation issues. The most common attack which is used to bring down a whole network as well as CDN without even finding a loophole in the security is DDoS. In this proposal, we proposed a distributed virtual honeypot model for diminishing DDoS attacks and prevent intrusion in securing CDN. Honeypots are specially utilized to imitate the primary server with the goal that the attack is alleviated to the fake rather than the main server. Our proposed layer based model utilizes honeypot to be more effective reducing the cost of the system as well as maintaining the smooth delivery in geographically dispersed servers without performance degradation.

TCP and HTTP Flood DDOS Attack Analysis and Detection for space ground Network

Abstract: Any spacecraft need ground control station to receive and process its telemetry then sending commands to control it or to execute certain mission although space ground network station could be isolated from being connected to internet, internal Distributed Denial-of-service (DDOS) attack might be launched internally to disrupt the performance of this critical network or totally make certain server/service unavailable, it is easier for insiders to deploy DDOS attack because they have legitimate access to the system and can penetrate any security rules, a DDOS attack can exhaust the computing and bandwidth resources of the target server within a short period of time so deep investigations and analysis are required on the network traffic and this analysis should focus on the behavior of packets during DDOS attack. In this paper, deep analysis of the normal and malicious traffic /packets was made -which is deployed by new designed software - (real time telemetry from spacecraft simulator), apply the proposed detection algorithm to 2 types of DDOS attacks TCP& HTTP Flood. Based on the simulation and detection results, efficient and effective algorithm, technique will be developed to prevent or mitigate DDOS attacks.

Smart proxying for microservices

Abstract: Proxies provide the networking infrastructure to the microservices architecture which has become ubiquitous in the cloud today. However, these proxies either cannot operate at line rate or are unsuitable for generic deployments. Furthermore, state-of-the-art autoscaling algorithms are still unable to account for quality of service the applications need to provide. In my dissertation I plan to explore a split proxy architecture that would be able to operate at line rate and provide autoscaling services that take into account QoS. Furthermore, such disaggregated L4/L7 processing provides a unique opportunity to embed DDoS mitigation like security features within the proxy framework.

DDoS Attack Mitigation through Root-DNS Server: A Case Study

Abstract: Load balancing and IP anycast are traffic routing algorithms used to speed up delivery of the Domain Name System. In case of a DDoS attack or an overload condition, the value of these protocols is critical, as they can provide intrinsic DDoS mitigation with the failover alternatives. In this paper, we present a methodology for predicting the next DNS response in the light of a potential redirection to less busy servers, in order to mitigate the size of the attack. Our experiments were conducted using data from the Nov. 2015 attack of the Root DNS servers and Logistic Regression, k-Nearest Neighbors, Support Vector Machines and Random Forest as our primary classifiers. The models were able to successfully predict up to 83% of responses for Root Letters that operated on a small number of sites and consequently suffered the most during the attacks. On the other hand, regarding DNS requests coming from more distributed Root servers, the models demonstrated lower accuracy. Our analysis showed a correlation between the True Positive Rate metric and the number of sites, as well as a clear need for intelligent management of traffic in load balancing practices.

Automated DDoS mitigation based on known attacks usinga Web Application Firewall

Abstract: Distributed Denial-of-Service (DDoS) attacks are an ever growing problem with large societal impact. To defend against DDoS attacks we need to set up defences in every possible layer. There is still very little defence in some of the layers. For this research we designed a system for application layer defence against HTTP flood DDoS attacks. We used fingerprints based on known attacks to create rules that can be used in a Web Application Firewall (WAF).

A Risk Transfer Based DDoS Mitigation Framework for Cloud Environment

Abstract: The impact of Cloud computing on the current information technology infrastructure has undeniably lead to a paradigm shift. The software, Platform and Infrastructure services offered by Cloud computing has been widely adopted by industries and academia alike. Protecting the core architecture of Cloud computing environment against the wake of Distributed Denial of Service attacks is necessary. Any disruptions in Cloud services reduce availability causing losses to the organizations involved. Firms lose revenue and customers loose trust on Cloud providers. This paper discusses a risk transfer based approach to handle such attacks in Cloud environment employing Fog nodes. Fog nodes work in tandem with Autonomous systems possessing unused bandwidth which can be leveraged by the Cloud during an attack. The burden of protection is partially transferred to willing third parties. Such a proactive conceptual defensive framework has been proposed in this paper.

Scalable DDoS Mitigation System

Abstract: Distributed Denial of Service attacks (DDoS) are used by attackers for their effectiveness. This type of attack is one of the most devastating attacks in the Internet. Every year, the intensity of DDoS attacks increases and attackers use sophisticated multi-target DDoS attacks. In this paper, a modular system that allows to increase the filtering capacity linearly and allows to protect against the combination of DDoS attacks is designed and implemented. The main motivation for development of the modular filtering system was to find a cheap solution for filtering DDoS attacks with possibility to increase filtering capacity. The proposed system is based on open-source detection and filtration tools.

Fingerprint-Based Automated Rule Generation for DDoS Mitigation using the Berkeley Packet Filter

Abstract: Distributed Denial of Service (DDoS) attacks have becomemore and more present in our everyday society, both in-creasing significantly in numbers and intensity. Althoughmore advanced methods for DDoS mitigation are emerg-ing, there exists nearly no research on kernel level DDoSmitigation. Therefore, we designed a method to automat-ically generate extended Berkeley Packet Filter programsfor DDoS mitigation, based on DDoS attack fingerprintsfrom DDoSDB.org. We show that existing work only fo-cuses on the performance of eBPF and that no research ex-ist on DDoS mitigation using eBPF or similar techniques.Furthermore, we present a method to convert fingerprintsto eBPF rules, as well as a method to reduce the size offingerprints while maintaining as much precision as pos-sible. Finally, we show that our method has an overallaccuracy of over 95%, a true positive rate of at least 93%and a true negative rate for over 98% on more than 90%of the simulated attacks.

Signature-Based DDoS Attack Mitigation: Automated Generating Rules for Extended Berkeley Packet Filter and Express Data Path

Abstract: Distributed Denial of Service (DDoS) attacks are malicious attempts to disrupt a service from the target by overwhelming it by network packets. DDoS attacks are continuously rising in size and diversity. In 2018, Netscout reported a peak of 1.7 Tbps in size [1] and Akamai’s annual report of 2018 [2] states that those spikes are still growing with an increasing growth curve. As an example from the beginning of 2018, with the new memcached attacks, attackers are still finding new ways to perform DDoS attacks. Cloudflare is one of the biggest vendors on the market providing solutions the defend against DDoS attacks. Their defending methods include the filtering of malicious packets by generated rules from attack signatures. The extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) form an important part in those defending methods. With the ability to filter packets at a very high speed, eBPF and XDP prove in existing solutions that it can perform in the fight against DDoS attacks. With eBPF and XDP, malicious packets can be dropped based on rules specified inside the eBPF program. Studies show that eBPF and XDP are tools that are able to drop packets at higher rates than former tools. However those studies only show this with plain packets and not in the case of an actual DDoS attack. Altough eBPF and XDP are open-source, the tools can not directly be used to mitigate DDoS attacks. In practice a network operator has to know how to use this tools and what the implication of different scenarios can be. Therefore, the overall goal of this study is to research how to use eBPF and XDP to mitigate DDoS attacks and to research how effective the tools can be. A DDoS mitigation system is proposed in this study with the use of eBPF and XDP. With this system a network operator is able to drop packets up to a 100% accuracy when deep packet layers are considered. The XDP filter allows higher packet processing speeds than an Iptables filter with the same rules. The contribution of this study is two-fold. It adds new scientific findings on which new studies can build upon and the study can be put in practice by network operators in real network environments.

Balancing Performance Characteristics of Hierarchical Heavy Hitters

Abstract: Hierarchical Heavy Hitters (HHHs) identify frequent items in streaming data. Finding these items has several applications to network monitoring, particularly in distributed denial-of-service (DDoS) mitigation and anomaly detection. Several algorithms are available to compute HHHs, each with different performance characteristics in terms of resource consumption, speed and accuracy. These characteristics determine which HHH algorithm may be best suited for a given network situation (e.g., because it offers sufficient accuracy for fine-grained traffic analysis). However, since the situation can evolve over time, the best choice for an HHH algorithm may also change. Simply replacing a chosen HHH algorithm has the drawback of losing all previously acquired monitoring information. This paper introduces the novel concept of HHH-transitions that transfer monitoring information between HHH variants and consequently allows it to adopt new performance characteristics by switching algorithms at runtime. For example, this enables a DDoS mitigation system to adapt to evolving network situations and therefore increase overall Return-on-Mitigation. We present explicit transition rules for common one-dimensional HHH variants and evaluate our approach based on real traffic from MAWILab. Results indicate that trade-offs between performance characteristics can be realized at runtime and that it is possible to increase overall post-transition accuracy by retaining monitoring information.