Where do DDoS attacks come from?

also ft how to shut down the internet 2.0

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Where do DDoS attacks come from?

Al-Ameen has been staring too hard at Netscout’s report on the global state of DDoS attacks, and here are the African countries with the highest amount of DDoS attacks in H1 2025: 

Most of us already know what a DDoS attack is. Let’s say you build a road with the capacity to take 150 vehicles at a time. A DDoS attack is what happens when a radical group that’d rather not see that road functioning puts 1,500 vehicles on it, causing so much traffic that the road stops working completely. In DDoS attacks, threat actors use networks of devices to bombard digital infrastructures with so much traffic that they stop working.

If you’re trying to figure out where this digital mob is coming from, you’ll be looking at a map that’s changing fast. It used to be that China and the United States were the biggest sources of attack nodes, the compromised devices that make up these armies of bots. The thinking was pretty simple: they’ve got a ton of internet-connected devices, so they’ve got a ton of potentially compromised internet-connected devices that are used for these attacks.

The latest intelligence from Netscout shows Africa is now a major theater for this kind of cyber warfare. 

According to NETSCOUT's reports from late 2024 and early 2025, several African nations are now major hotspots. South Africa, for instance, recorded over 213,000 DDoS incidents in the first half of 2025 alone, making it the continent's primary target. Critical industries like insurance, banking, and telecommunications are squarely in the crosshairs. South Africa had more attacks on computer-related services and investment advice than anywhere else in the world. Nigeria, in a weirdly specific twist, was the only country globally to see beauty salons as a notable target..

Morocco and Kenya were the second and third-most-attacked countries in Africa in the first half of 2025, respectively. In West Africa, Nigeria and Mali led the pack, with Mali seeing a more than tenfold increase in attacks in the second half of 2024. And it's not just a flood of simple, low-effort attacks.

South Africa, Kenya, Libya, and Nigeria all saw attacks with up to 23 different vectors, while Tunisia holds the record with a single attack using 27 vectors.

The rise of groups like "Anonymous Sudan," which claimed responsibility for major attacks in Africa and across the world, shows that these attacks aren't just for financial gain.

In case you’re wondering, here are Africa’s top ten countries with the most DDoS attacks

South Africa led with 213,523 attacks; Morocco was second with 75,624; Kenya came third with 46,786 attacks; Mauritius came fourth with 38,906 attacks; fifth is Djibouti, with 31,172 attacks; Egypt came sixth with 20,628; Tunisia came seventh with 6,346; Angola is eighth with 4,792; Mali ranks ninth with 4,142; and Libya is number ten with 3,747. 

Interestingly, Nigeria did not feature in the top ten, and three North African countries are among the top ten most attacked countries, making the region one of the most targeted on the continent.

How to shut down the Internet 2.0 

A highlight partly titled Internet shutdowns are business transactions

Last week, we talked about how internet shutdowns work. This week, we’re looking at enablers.

Telco internet service providers top this list. Most of Africa’s internet infrastructure is owned by a handful of corporations: MTN, Vodacom, Orange, and Safaricom. This dynamic is a big part of the reason you see a handful of major players — MTN, Vodacom, Orange — getting tangled up in so many of these incidents. MTN has been involved in shutdowns in Nigeria, Sudan, Guinea, and eSwatini. And Vodacom in Mozambique.

The logic is simple. You don’t get to be a multi-billion-dollar telecom giant if the government decides you can no longer operate. It’s a classic hostage situation, only the hostage is the entire country’s internet. Other times, however, ISPs concede because they might be actively helping to curry favor. 

For Deep Packet Inspections (DPIs), however, the business is a bit more complicated. Countries like Egypt, Libya, and Ethiopia are big users of surveillance tech that allows DPIs. Countries like Nigeria and Ghana are also spending money on obtaining theirs. The tech is not homegrown. Chinese firms like Huawei and ZTE, and Israeli spyware companies like the NSO Group have gained prominence for these kinds of tech. Some of this tech, especially concerning Chinese firms, has been obtained through soft loans, 

FEATURES

  • NETSCOUT's latest threat intelligence report for Europe, the Middle East, and Africa (EMEA) reveals a surge in DDoS attacks, with over 3.2 million incidents in the first half of 2025 alone. These attacks, increasingly driven by geopolitical events and hacktivist groups like NoName057(16), have become more sophisticated, leveraging AI, botnets, and "DDoS-for-hire" services.

HEADLINE

ACROSS THE WORLD

OPPORTUNITIES

IMAGE OF THE WEEK

A Chinese court has sentenced to death 11 members of a notorious family that ran scam centres in Myanmar, according to Chinese state media CCTV. The Ming Family are known for running a multi-billion dollar gambling and cybercrime enterprise that operated across the Myanmar border region. The family employed an armed force and controlled multiple pig-butchering centers, where migrants were tricked and forced to work in slave-like conditions. Reports say they were responsible for the deaths of at least ten people. Last year, a pig-butchering center was busted in Lagos, marking the first appearance of syndicated pig butchering schemes on the continent.

Happy cybersecurity awareness month and see you next week.

Reply

or to participate.