Are DDoS attacks escalating across North Africa?

NETSCOUT SYSTEMS, INC., a leading provider of observability, AIOps, cybersecurity, and distributed denial of service (DDoS) protection solutions, has released its latest global threat intelligence report highlighting the intensification of DDoS attacks across North Africa

The study shows that telecommunications operators, both wired and wireless, were the primary targets in Morocco, Tunisia, Libya, and Algeria during the first half of 2025.

Northern Africa by the numbers

Morocco registered more than 75,600 DDoS incidents, making it the second highest in Africa for attack volume after South Africa. Tunisia experienced the continent’s longest single DDoS campaign, lasting nearly seven hours (418.68 minutes), while also recording the highest bandwidth peak at 756.61 Gbps. Libya faced the second-longest single attack in the region at 242.6 minutes, with the highest attack complexity recorded, involving 23 vectors in one incident. Algeria, although recording fewer attempts (186), still endured significant threats, with peaks of 432.02 Gbps in bandwidth and 41.05 Mpps in throughput.

“Across the region, threat actors consistently targeted the telecommunications sector, unleashing high-volume, multi-vector attacks that disrupted connectivity and threatened service reliability,” commented Bryan Hamman, regional director for Africa at NETSCOUT. “Overall though, the results show an interesting mix of results when compared to our last Threat Intelligence Report, which looked at the second half of 2024.

“For example, Morocco continues to lead North Africa in the number of DDoS strikes sustained, with the country’s attack count rising from around 69,800 to over 75,600. Tunisia shifted from higher volumes - just short of 8,700 in 2H 2024 - to fewer attacks at 6,346 between January and July 2025, but contrastingly with record-breaking peaks in bandwidth and duration.

“Libya, however, more than doubled its attack volume, from just over 1,600 to nearly 3,750 incidents. Algeria saw fewer events but continued to face severe peak magnitudes.”

DDoS activity across the region

In Morocco, the majority of attacks targeted wireless telecommunications carriers, with 64,517 incidents. Wired providers followed with 1,342 incidents, along with research and development organisations in Social Sciences and Humanities (53), and shoe retailers (41). Common vectors included TCP ACK, DNS amplification, and SYN/ACK amplification. The largest recorded attack in the country reached 158.88 Gbps in bandwidth and 17.74 Mpps in throughput.

Tunisia’s attacks primarily struck wired telecommunications providers, with 5,288 incidents, followed by wireless carriers and the hospitality sector (excluding casino hotels and motels). Despite a lower number of attacks compared with 2H 2024, Tunisia endured the largest single DDoS assault in North Africa, with peaks of 756.61 Gbps and 49.51 Mpps, and an aggregate surge hitting 27 Tbps in April 2025. The average duration of attacks also increased substantially, exceeding 400 minutes in some cases.

In Libya, although peak bandwidths were smaller at 113.15 Gbps, attackers deployed 23 different vectors in a single incident — the most complex attack in the region. Wireless telecommunications providers were the primary targets, with 2,519 attacks, but unusual attempts against gasoline stations were also recorded.

Algeria reported 186 DDoS incidents in 1H 2025, the lowest among the four countries. However, the scale of attacks was significant, with peaks hitting 432.02 Gbps. Both wired and wireless telecommunications operators were the main targets, with DNS amplification identified as the most common attack method.

“North Africa is a prime example of how rapid digital growth attracts malicious activity,” adds Hamman. “The first half of 2025 shows that attackers are not only increasing their volumes in countries like Morocco, but are also using more sophisticated multi-vector methods in Libya and high-magnitude events in Tunisia. Even Algeria, with relatively fewer incidents, cannot ignore the scale of its largest attacks.

“The lesson is clear: organisations must prepare for the scale and sophistication of today’s threats,” he concluded.

NETSCOUT maps the DDoS landscape through passive, active, and reactive vantage points, providing unique visibility into global attack activity. The company protects two-thirds of the routed IPv4 space, securing network edges that carried global peak traffic exceeding 800 Tbps in the first half of 2025. It tracks tens of thousands of daily DDoS attacks by monitoring multiple botnets and DDoS-for-hire services that exploit millions of compromised devices.