South Africa hit by 171,000 DDoS attacks in late 2025

South Africa absorbed more than 171,000 distributed denial-of-service (DDoS) attacks in the final six months of 2025, ranking among the most-targeted countries worldwide across several critical industries.

The figures come from network security firm NETSCOUT, which says a recent run of attacks on South African hosting providers, internet service providers, and connectivity infrastructure points to a sharper, more coordinated threat to the country’s digital economy.

Where South Africa ranks

According to NETSCOUT’s DDoS Threat Intelligence Report for the second half of 2025, the country recorded 171,812 attacks between July and December, with the average attack lasting more than 74 minutes. It was the fifth most-targeted country in the wider Europe, Middle East and Africa (EMEA) region.

The report places South Africa first in the world for DDoS attacks against several sectors:

• computer-related services
• computer systems design
• commercial banking
• portfolio management and investment advisory
• insurance

Going after the infrastructure layer

Bryan Hamman, NETSCOUT’s area vice president for Africa, said attackers are increasingly targeting upstream providers, whose failures cascade fastest. “The recent incidents impacting South African infrastructure providers demonstrate how DDoS campaigns are evolving beyond isolated disruptions into broader attacks against critical digital ecosystems,” he said.

Hamman said attackers are combining several techniques in a single, multi-vector assault to overwhelm defences, a shift he described as harder to mitigate. Because an attack on one hosting or connectivity provider can ripple across thousands of downstream businesses at once, that layer has become the preferred target.

Extortion and cheaper tools

The campaigns are increasingly tied to extortion, Hamman said, with sustained attacks used to pressure organisations into paying under the threat of prolonged outages. NETSCOUT also points to AI-driven attack tools, large language models on the dark web, and more accessible DDoS-for-hire services as lowering the barrier to entry, putting high-impact attacks within reach of a wider pool of actors.

Why it matters

South Africa carries the densest concentration of data centres, internet exchange points and hosting providers on the continent, which is part of what makes it such a rich target. The same infrastructure that anchors the regional internet also offers attackers the widest blast radius.

NETSCOUT did not name the specific recent incidents it referenced, and the rankings and attack volumes are drawn from its own threat-intelligence data. Even so, the direction is clear: for the operators at the centre of South Africa’s internet, rapid mitigation is becoming a condition of staying online.