Casablanca, Morocco // – NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT), a leading provider of observability, AIOps, cybersecurity and distributed denial of service (DDoS) attack protection solutions, has released its latest global threat intelligence report, revealing how DDoS hits are intensifying across North Africa.
The findings highlight that telecommunications providers – both wired and wireless – were the primary targets in Morocco, Tunisia, Libya and Algeria during the first half of 2025.
Northern Africa by the numbers
- Morocco recorded more than 75,600 DDoS incidents, ranking second in Africa for overall attack volume behind South Africa.
- Tunisia endured the continent’s longest single DDoS campaign, lasting nearly seven hours (418.68 minutes), and also saw the highest recorded bandwidth, peaking at 756.61 Gbps.
- Libya withstood the second-longest single attack in Northern Africa, at 242.6 minutes, and suffered the highest attack complexity, with 23 vectors deployed in a single incident.
- Algeria, while reporting fewer malicious attempts (186), still faced powerful events, experiencing bandwidths peaking at 432.02 Gbps and throughput at 41.05 Mpps.
“Across the region, threat actors consistently targeted the telecommunications sector, unleashing high-volume, multi-vector attacks that disrupted connectivity and threatened service reliability,” comments Bryan Hamman, regional director for Africa at NETSCOUT. “Overall though, the results show an interesting mix of results when compared to our last Threat Intelligence Report, which looked at the second half of 2024.
“For example, Morocco continues to lead North Africa in the number of DDoS strikes sustained, with the country’s attack count rising from around 69,800 to over 75,600. Tunisia shifted from higher volumes – just short of 8,700 in 2H 2024 – to fewer attacks at 6,346 between January and July 2025, but contrastingly with record-breaking peaks in bandwidth and duration.
“Libya, however, more than doubled its attack volume, from just over 1,600 to nearly 3,750 incidents. Algeria saw fewer events but continued to face severe peak magnitudes.”
DDoS activity across the region
The majority of Morocco’s unrelenting attacks targeted wireless telecommunications carriers, with 64,517 incidents. This was followed by wired providers (1,342), research and development organisations within the fields of Social Sciences and Humanities (53), and shoe retailers (41), with TCP ACK, DNS amplification and SYN/ACK amplification among the most common vectors. The country experienced a maximum recorded attack of 158.88 Gbps in bandwidth and 17.74 Mpps in throughput.
Most attacks on Tunisia were primarily aimed at wired telecommunications providers, with 5,288 incidents. Next were wireless carriers, followed by hotels (except casino hotels and motels). Although attack frequency was lower than during the second half of 2024, the country endured the largest single DDoS event in the region, peaking at 756.61 Gbps and 49.51 Mpps, with an aggregate spike reaching 27 Tbps in April 2025. Average attack duration also lengthened significantly, exceeding 400 minutes in some cases.
While Libya’s maximum single-attack bandwidth was smaller than Tunisia’s, at 113.15 Gbps, the country saw the largest number of vectors used in a single event (23), illustrating the growing complexity of the threat landscape. Wireless telecommunications carriers absorbed most attacks (2,519), but unusual targeting of gasoline stations was also recorded.
Algeria logged 186 attacks in 1H 2025, the fewest in the region, but with significant peaks reaching 432.02 Gbps. The telecommunications sector – both wired and wireless – remained the most frequent target, with DNS amplification as the dominant vector.
“North Africa is a prime example of how rapid digital growth attracts malicious activity,” adds Hamman. “The first half of 2025 shows that attackers are not only increasing their volumes in countries like Morocco, but are also using more sophisticated multi-vector methods in Libya and high-magnitude events in Tunisia. Even Algeria, with relatively fewer incidents, cannot ignore the scale of its largest attacks.
“The lesson is clear: organisations must prepare for the scale and sophistication of today’s threats,” he concludes.
NETSCOUT maps the DDoS landscape through passive, active, and reactive vantage points, providing unparalleled visibility into global attack trends. NETSCOUT protects two-thirds of the routed IPv4 space, securing network edges that carried global peak traffic of over 800 Tbps in 1H2025. It monitors tens of thousands of daily DDoS attacks by tracking multiple botnets and DDoS-for-hire services that leverage millions of abused or compromised devices.
