South Africa, Morocco, and Kenya were the three most targeted African countries for Distributed Denial of Service (DDoS) attacks in the first half of 2025, according to NetScout’s latest global threat intelligence report – with South Africa ranked as the continent’s primary hotspot, recording 213 523 DDoS attacks during the six-month period.
Several of its industries featured prominently among the most attacked at a global level, including:
- Insurance agencies and brokerages – first worldwide with 6 680 attacks;
- Other computer-related services – first worldwide with 18 243 attacks (Kenya followed in second place with 8 730);
- Portfolio management and investment advice – first worldwide with 1 571 attacks (Kenya again came in second with 720);
- Commercial banking – second worldwide with 4 653 attacks;
- Electronics and appliance retailers – third worldwide with 255 attacks;
- Electronics computer manufacturing – third worldwide with 525 attacks; and
- Wireless telecommunications carriers (except satellite) – South Africa ranked fourth globally with 126 551 attacks – Morocco placed 10th with 64 517.
The report also showed that the Seychelles was positioned as sixth globally for attacks on software publishers (183), while Nigeria uniquely recorded 108 incidents aimed at beauty salons – the only country in the world to have this sector noted in the report.
While South Africa remained the most attacked African nation, Morocco ranked second with 75 624 DDoS incidents and Kenya third with 46 786 attacks during the first half of the year. Together, these three countries accounted for the vast majority of malicious activity across the continent.
NetScout’s research showed that South Africa, Kenya, Libya, and Nigeria all recorded 23 attack vectors in a single attack, followed closely by Morocco with 20.
Attack vectors refer to the different methods cybercriminals use to overwhelm their targets. The most commonly seen examples in Africa for the first six months of 2025 ranged from DS (destination port floods) to Dn (DNS query floods) and Ta (TCP ACK floods). The increasing variety of vectors shows that attackers are using multi-layered techniques to bypass defences and cause maximum disruption.
In terms of duration, Tunisia experienced the longest single DDoS attack in Africa, clocking in at 418.68 minutes (nearly seven hours). Other countries close behind included Côte d’Ivoire (415.34 minutes), Burkina Faso (356.49 minutes), Mali (336.63 minutes), and Libya (242.6 minutes). Such prolonged attacks emphasise the persistence of adversaries in attempting to cripple connectivity and online services.
The report also revealed the largest DDoS attack statistics observed in selected African nations:
- Tunisia – maximum bandwidth of 756.61 Gbps and throughput of 49.51 Mpps, recorded across 6 346 attacks;
- Algeria – maximum bandwidth of 432.02 Gbps, throughput of 41.05 Mpps, noted across 186 attacks; and
- South Africa – maximum bandwidth of 312.46 Gbps and throughput of 27.46 Mpps, detailed across 213 523 attacks.
Commenting on the findings, Bryan Hamman, regional director for Africa at NETSCOUT, said: “NetScout’s latest threat intelligence underlines how Africa is firmly in the sights of global cybercriminals,” says Bryan Hamman, regional director for Africa at NetScout. “South Africa continues to experience extremely high volumes of DDoS activity with its critical industries increasingly under threat.
“At the same time, Morocco, Kenya, and other nations are facing rising attack sophistication – as shown by the high number of vectors,” Hamman adds. “The prolonged strikes in Tunisia, Côte d’Ivoire, Burkina Faso, Mali, and Libya – alongside record-breaking bandwidths and throughputs – further demonstrates the determination of attackers to disrupt essential services.