Distributed Denial of Service (DDoS) attacks are continuing to evolve in both scale and sophistication across West Africa.
According to NETSCOUT’s latest 2H 2025 Distributed Denial‑of‑Service (DDoS) Threat Intelligence Report, which analyses the threat landscape across key regional economies including Nigeria, Côte d’Ivoire, Ghana and Mali, the second half of 2025 shows the growing use of multi-vector techniques, increased targeting of critical infrastructure, and the emergence of Nigeria as being simultaneously a source and target of global DDoS attack traffic.
Bryan Hamman, regional director for Africa at NETSCOUT, warns:
“We see a clear message for business leaders: DDoS is no longer a ‘blunt force’ disruption tool, but rather is continuously evolving into a strategic, persistent and highly adaptive threat. This reflects a broader global pattern in that DDoS attacks are becoming more precise, sustained and economically disruptive.”
One of the most significant findings across all four of these West African countries is the growing prevalence of multi-vector DDoS attacks.
Unlike traditional attacks that rely on a single method, multi-vector campaigns combine several techniques simultaneously, for example volumetric floods, such as UDP amplification; protocol attacks, like TCP SYN floods; and application-layer attacks, for instance HTTP requests.
This layered approach allows attackers to bypass single-layer defences, maximise disruption across network and application layers, and change their tactics in real time.
Across West Africa, these attacks are increasingly being directed at critical infrastructure, including financial services platforms, government and public sector systems, and telecommunications providers including internet service providers (ISPs), hosting and data services, and digital platforms.
Nigeria’s numbers for the period are up compared to 1H 2025, and it remains both a regional hotspot as well as a high-risk environment, with increasing attack complexity.
Côte d’Ivoire experienced rising volumes and longer attacks, while Ghana and Mali both showed declining volumes that were still coupled with sophisticated, unrelenting attack formats.
Nigeria: A dual role as both target and source
As a major economic hub in West African, it is not surprising, says Hamman, that Nigeria is also a major DDoS target within the region.
During 1H 2025, the country experienced 1,844 attacks, increasing to 3,593 in 2H 2025. The average attack duration was nearly 37 minutes, with attack complexity continuing to rise.
The NETSCOUT report shows that Nigeria has experienced multi-vector DDoS campaigns in the region, with attackers continuing to combine techniques such as TCP ACK, TCP SYN/ACK amplification and TCP RST. In some cases, attacks leveraged up 13 distinct vectors simultaneously.
In addition, Nigeria has also been flagged as being both a source of malicious botnets originating from compromised devices, as well as a target of botnet-driven attacks, together with Kenya and South Africa.
This highlights the continued growth and evolution of DDoS-capable botnets, where networks of infected devices, ranging from personal computers to IoT endpoints, are used to generate massive volumes of traffic from distributed sources.
Says Hamman:
“This dual role suggests that large numbers of compromised devices, whether across IoT, enterprise endpoints or poorly secured infrastructure, are being leveraged within the country, even as Nigerian networks are simultaneously under sustained attack from external actors.”
Côte d’Ivoire: Rising volumes and endurance attacks
Côte d’Ivoire has seen DDoS attack volumes increasing in 2H 2025, with incident durations becoming particularly notable. In the wired telecommunications carrier arena, the average duration reached 977 minutes (almost 16.5 hours). During the first half of 2025, the country also recorded some of the lengthiest DDoS strikes in West Africa, with average durations exceeding 368 minutes, or over six hours.
The top three attack vectors were once again TCP ACK, TCP SYN/ACK amplification and TCP RST. The maximum number of vectors seen in a single attack was 10, with a total of 1,387 incidents.
Says Hamman:
“These prolonged incidents represent a critical evolution in attacker strategy and showcase the continued rise of ‘slow-burn’ attacks. Rather than overwhelming networks with short bursts of traffic, threat actors are increasingly deploying extended, lower-intensity assaults, which are designed to evade traditional detection mechanisms; exhaust mitigation resources over time and disrupt services without triggering immediate escalation.”
Ghana and Mali: A declining trend showcases different types of risk
In contrast to Nigeria and Côte d’Ivoire, Ghana and Mali both saw a decrease in DDoS attack volumes in the second half of 2025 compared to the first half, with Ghana recording a total of 112, and Mali being subjected to significantly more, on 1,940.
“However,” notes Hamman, “this should not be interpreted as a reduced threat level. Our data shows that even in lower-volume environments, assailants are continuing to deploy multi-vector strategies. Ghana experienced attacks involving up to 14 different vectors in a single incident, while Mali recorded some of the longest incidents on the continent, at over 18 hours (1,103 minutes).”
“DDoS attacks are no longer isolated IT incidents but instead represent business continuity events,” he says. “Prolonged outages can result in lost revenue, customer dissatisfaction and reputational damage. As many attacks target service providers and critical infrastructure, the risk of downstream supply chain disruption also increases.
“NETSCOUT plays a critical role in global defences against DDoS attacks, as well as by analysing trends and providing real-time threat intelligence at a global level. This enables organisations to anticipate threats rather than simply reacting to them, as DDoS threat actors continue to evolve in both sophistication and malice,” he concludes.
