The distributed denial of service (DDoS) threat landscape in late 2025 was defined by sustained global attack volumes, increasingly capable IoT botnets, sophisticated threat actor campaigns, and a decisive move toward AI-enhanced DDoS-for-hire operations.
This is according to Netscout’s Atlas global threat intelligence platform, which monitored more than 8-million DDoS attacks in 203 countries and territories during the six-month period between July and December 2025.
Attacks reaching up to 30 terabits per second are now possible, and conversational AI interfaces are guiding even unskilled attackers through complex operations. Although these large-scale attacks remain rare, they continue to shape defensive strategies. The average attack fuelled by TurboMirai IoT botnets is now short, intense and multisector affecting a wide range of industries.
Between July and December 2025, more than 3,3-million DDoS incidents were recorded across Europe, the Middle East and Africa (EMEA), marking it as the most impacted region. This was followed by Asia-Pacific (APAC) with over 1,9-million incidents, North America with 1,27-million and Latin America with 1,01-million.
More than half of these attacks worldwide were multivector strikes, underscoring a fundamental shift in how campaigns are being executed. Threat actors are increasingly leveraging AI to plan, launch and adapt attacks in realtime. As a result, sophisticated attacks no longer require deep technical expertise, significantly narrowing the gap between attacker intent and execution.
And, according to the Threat Intelligence Report 2H 2025, these dynamics are mirrored across Africa.
South Africa experienced the highest number of vectors seen in a single attack, at 26. The most common included TCP ACK floods, TCP RST floods, DNS amplification and SYN floods. Libya followed with 23 vectors and Kenya with 21, while Morocco, Tunisia and Zambia each recorded 20 vectors. Mauritius registered 19 vectors in one instance.
South Africa (which was ranked as the fifth most targeted country in EMEA), Morocco and Kenya were once again the three countries recording the most incidents – at 171 812, 145 396 and 51 315 attacks respectively. However, it was countries within West and East Africa that were predominantly targeted with the longest duration onslaughts on the continent.
Wireless telecommunications carriers recorded some of the lengthiest incidents: lasting 1 785 minutes (close to 30 hours) in the Republic of the Congo; 1 023 minutes (more than 17 hours) in Liberia; and 1 005 minutes (almost 17 hours) in Tanzania.
“Many factors influence the duration of an attack including mitigation efforts, detection capabilities, attack size and attacker persistence,” explains Bryan Hamman, area vice-president (AVP) for Africa at Netscout. “It should be noted that duration is not a measure of the size of an attack, because smaller attacks often go unnoticed for longer periods of time. In contrast, larger-scale attacks trigger alarm systems more quickly, leading to faster mitigation efforts.
“To reduce the duration of a DDoS attack, organisations must be able to identify the signs early,” Hamman continues. “Ideally, they will already have a DDoS detection solution in place. If not, they should look for performance degradations such as slow response, long load times or unavailability of websites, applications or other services. If an attack is confirmed and no DDoS protection solution is in place, the first step is to contact the Internet service provider for mitigation support, while continuing to monitor the attack until it ends.”
While wireless telecommunications organisations were by far the most attacked sector on the broader continent from Angola to Zambia, several other industries were also affected. Wired telecommunications carriers topped the list of sectors in Algeria, Burkina Faso, the Democratic Republic of the Congo, and Tunisia while all other telecommunications companies were the most targeted in Zimbabwe. Computer infrastructure providers were the leading targets in Eswatini, Madagascar, Seychelles and South Sudan.
Implications for defenders
“DDoS attacks remain one of the most persistent and disruptive threats in the cybersecurity landscape,” says Hamman. “They can have significant impact on both direct and indirect costs. Lack of network, application or service availability can cause downtime leading to frustrated customers, unproductive employees, reputational damage, eroded customer trust, and revenue decline.
“Legacy defences struggle against AI-enhanced DDoS campaigns,” he adds. “Static signatures, manual response and limited visibility are no longer sufficient, meaning that effective defence now requires intelligence-driven, automated and adaptive protection. Investing in both cloud-based and on-premises adaptive DDoS protection is essential to defend against multivector dynamic attacks of all types to prevent these losses.”