DDoS threat

Last Updated 2 hours ago by Kenya Engineer

The distributed denial of service (DDoS) threat landscape in late 2025 was defined by sustained global attack volumes, increasingly capable IoT botnets, sophisticated threat actor campaigns, and a decisive move toward AI-enhanced DDoS-for-hire operations.

This is according to NETSCOUT’s ATLAS global threat intelligence platform, which monitored more than 8 million DDoS attacks in 203 countries and territories during the six-month period between July and December 2025. The latest NETSCOUT Threat Intelligence Report for the second half of 2025 revealed a threat landscape where the line between intent and capability has all but disappeared.

Attacks reaching up to 30 terabits per second are now possible, and conversational AI interfaces are guiding even unskilled attackers through complex operations. Although these large-scale attacks remain rare, they continue to shape defensive strategies. The average attack-fuelled by TurboMirai IoT botnets-is now short, intense and multisector, affecting a wide range of industries.

Between July and December 2025, more than 3.3 million DDoS incidents were recorded across Europe, the Middle East and Africa (EMEA), marking it as the most impacted region. This was followed by Asia-Pacific (APAC) with over 1.9 million incidents, North America with 1.27 million and Latin America with 1.01 million.

Multivector Attack Strategies Signal DDoS Sophistication Shift

More than half of these attacks worldwide were multivector strikes, underscoring a fundamental shift in how campaigns are being executed. Threat actors are increasingly leveraging AI to plan, launch and adapt attacks in real time. As a result, sophisticated attacks no longer require deep technical expertise, significantly narrowing the gap between attacker intent and execution.

And, according to the Threat Intelligence Report 2H 2025, these dynamics are mirrored across Africa.

South Africa experienced the highest number of vectors seen in a single attack, at 26. The most common included TCP ACK floods, TCP RST floods, DNS amplification and SYN floods. Libya followed with 23 vectors and Kenya with 21, while Morocco, Tunisia and Zambia each recorded 20 vectors. Mauritius registered 19 vectors in one instance.

South Africa (which was ranked as the fifth most targeted country in EMEA), Morocco and Kenya were once again the three countries recording the most incidents–at 171,812, 145,396 and 51,315 attacks respectively. However, it was countries within West and East Africa that were predominantly targeted with the longest duration onslaughts on the continent.

Wireless telecommunications carriers recorded some of the lengthiest incidents: lasting 1,785 minutes (close to 30 hours) in the Republic of the Congo; 1,023 minutes (more than 17 hours) in Liberia; and 1,005 minutes (almost 17 hours) in the United Republic of Tanzania.

“Many factors influence the duration of an attack, including mitigation efforts, detection capabilities, attack size and attacker persistence,” explains Bryan Hamman, area vice president (AVP) for Africa at NETSCOUT. “It should be noted that duration is not a measure of the size of an attack, because smaller attacks often go unnoticed for longer periods of time. In contrast, larger-scale attacks trigger alarm systems more quickly, leading to faster mitigation efforts.

“To reduce the duration of a DDoS attack, organisations must be able to identify the signs early. Ideally, they will already have a DDoS detection solution in place. If not, they should look for performance degradations such as slow response, long load times or unavailability of websites, applications or other services. If an attack is confirmed and no DDoS protection solution is in place, the first step is to contact the internet service provider for mitigation support, while continuing to monitor the attack until it ends.”

While wireless telecommunications organisations were by far the most attacked sector on the broader continent, from Angola to Zambia, several other industries were also affected. Wired telecommunications carriers topped the list of sectors in Algeria, Burkina Faso, the Democratic Republic of the Congo and Tunisia, while all other telecommunications companies were the most targeted in Zimbabwe. Computer infrastructure providers were the leading targets in Eswatini, Madagascar, Seychelles and South Sudan.

Implications for defenders

“DDoS attacks remain one of the most persistent and disruptive threats in the cybersecurity landscape,” says Hamman. “They can have significant impact on both direct and indirect costs. Lack of network, application or service availability can cause downtime, leading to frustrated customers, unproductive employees, reputational damage, eroded customer trust and revenue decline.

“Legacy defences struggle against AI-enhanced DDoS campaigns. Static signatures, manual response and limited visibility are no longer sufficient, meaning that effective defence now requires intelligence-driven, automated and adaptive protection. Investing in both cloud-based and on-premises adaptive DDoS protection is essential to defend against multivector dynamic attacks of all types to prevent these losses,” he adds.

NETSCOUT protects two-thirds of the routed IPv4 space, securing network edges that carried global peak traffic of over 800 Tbps, covering 376 industry verticals and 12,698 Autonomous System Numbers (ASNs) in the second half of 2025. It monitors tens of thousands of daily DDoS attacks by tracking multiple botnets and DDoS-for-hire services that leverage millions of abused or compromised devices.

 

SHARE
Previous article Africa’s cement industry and the push for energy security
Kenya Engineer
Kenya Engineer is the definitive publication of Engineers in East Africa & beyond. It has been in publication since 1972.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here