South Africa leads in attack volume and industries targeted on the continent; Morocco and Kenya follow.
NETSCOUT SYSTEMS, INC. has released its latest global threat intelligence report, revealing that South Africa, Morocco and Kenya were the three most targeted African countries for distributed denial of service (DDoS) attacks in the first half of 2025.
South African sectors take DDoS strain
South Africa ranked as the continent’s primary hotspot, recording 213,523 DDoS attacks during the six-month period. Several of its industries featured prominently among the most attacked at a global level. These sectors included: - Insurance agencies and brokerages – first worldwide, with 6,680 attacks - Other computer-related services – first worldwide, with 18,243 attacks (Kenya followed in second place with 8,730) - Portfolio management and investment advice – first worldwide, with 1,571 attacks (Kenya second with 720) - Commercial banking – second worldwide, with 4,653 attacks - Electronics and appliance retailers – third worldwide, with 255 attacks - Electronics computer manufacturing – third worldwide, with 525 attacks - Wireless telecommunications carriers (except satellite) – South Africa ranked fourth globally with 126,551 attacks, while Morocco placed tenth with 64,517 The report also showed that Seychelles ranked sixth globally for attacks on software publishers (183), while Nigeria uniquely recorded 108 incidents aimed at beauty salons — the only country worldwide to have this sector noted. While South Africa remained the most attacked African nation, Morocco ranked second with 75,624 DDoS incidents, and Kenya third with 46,786 attacks during the first half of 2025. Together, these three countries accounted for the vast majority of malicious activity across the continent.
Complex multivector events in South Africa, Kenya, Libya and Nigeria
NETSCOUT’s research showed that South Africa, Kenya, Libya and Nigeria all recorded 23 attack vectors in a single attack, followed closely by Morocco with 20. Attack vectors refer to the different methods cybercriminals use to overwhelm their targets. The most common in Africa during the first six months of 2025 ranged from DS (destination port floods) to Dn (DNS query floods) and Ta (TCP ACK floods). The increasing variety of vectors shows that attackers are using multi-layered techniques to bypass defences and cause maximum disruption.
Tunisia sees longest, largest attack
In terms of duration, Tunisia experienced the longest single DDoS attack in Africa, clocking in at 418.68 minutes (nearly seven hours). Other countries close behind included Côte d’Ivoire (415.34 minutes), Burkina Faso (356.49 minutes), Mali (336.63 minutes) and Libya (242.6 minutes). Such prolonged attacks emphasise the persistence of adversaries in attempting to cripple connectivity and online services. The report also revealed the largest DDoS attack statistics observed in selected African nations, as follows: - Tunisia – maximum bandwidth of 756.61 Gbps and throughput of 49.51 Mpps, across 6,346 attacks - Algeria – maximum bandwidth of 432.02 Gbps, throughput of 41.05 Mpps, across 186 attacks - South Africa – maximum bandwidth of 312.46 Gbps and throughput of 27.46 Mpps, across 213,523 attacks
NETSCOUT commentary
Commenting on the findings, Bryan Hamman, regional director for Africa at NETSCOUT, said: “NETSCOUT’s latest threat intelligence underlines how Africa is firmly in the sights of global cybercriminals. South Africa continues to experience extremely high volumes of DDoS activity, with its critical industries increasingly under threat. At the same time, Morocco, Kenya and other nations are facing rising attack sophistication, as shown by the high number of vectors. The prolonged strikes in Tunisia, Côte d’Ivoire, Burkina Faso, Mali and Libya, alongside record-breaking bandwidths and throughputs, further demonstrate the determination of attackers to disrupt essential services.” “As connectivity expands and the digital economy matures across Africa, organisations must recognise the essential need for intelligence-driven defences that can safeguard their operations, customers and reputations.”
NETSCOUT’s report draws on extensive monitoring of global DDoS activity, using data from botnets, attack services and compromised devices to map attack trends and techniques. This intelligence provides a window into how adversaries are adapting and where risks are emerging, offering valuable insight for organisations across Africa.
