South Africa’s Internet went down — what happened

Internet exchange point NAPAfrica, a critical component of South Africa’s Internet infrastructure, experienced two incidents on 21 May 2025 that caused a national outage for several minutes at a time.

The downtime happened because of a software bug in a piece of networking equipment that prevented it from responding correctly to a flood of traffic from a remote network.

Many people watching finance minister Enoch Godongwana’s budget speech on YouTube today experienced the stream being interrupted because their Internet connections went offline.

According to feedback from industry sources, the outage impacted most Internet service providers as they are all heavily reliant on NAPAfrica.

NAPAfrica is an initiative of South Africa’s largest data centre operator, Teraco, and operates three Internet exchange points in Johannesburg, Cape Town, and Durban.

These exchange points are multi-site and spread across multiple data centres in each region for redundancy.

NAPAfrica offers free peering services to network service providers, allowing anyone with a presence at one of the data centres to exchange traffic.

NAPAfrica’s business model and technical excellence made it incredibly popular. Internet service providers also credit it with reducing the cost of high-speed broadband in South Africa.

Unfortunately, on Wednesday, the Internet exchange point operator experienced an issue that caused two periods of brief downtime across the whole network.

The first incident happened around 12:15, and the second happened two hours later — in the middle of Godongwana’s speech.

“In both instances, we noticed significant MAC movement, consistent with a loop in the network,” NAPAfrica explained.

MAC is short-hand for Media Access Control addresses — hardware-level identifiers needed to ensure network traffic reaches its destination.

“Upon initial investigation after the first incident, our monitoring systems showed there was broadcast traffic originating from a specific device,” NAPAfrica explained.

Broadcast traffic is packets sent to all devices within a specific network segment, known as a broadcast domain.

NAPAfrica removed the device sending broadcast traffic from the network for further investigation.

The charts below show the surge in broadcast traffic during the two incidents, resulting in a sudden dip in traffic from legitimate sources through its Johannesburg exchange point.

Isolating and mitigating the issue

“While continuing with troubleshooting, we experienced the second incident, with the same symptoms,” it said.

“During this time, we were able to isolate the true source of the issue, which was a remote network.”

NAPAfrica said it uses “port-security” to ensure the network’s stability. In more technical terms, each peering port has a MAC limit of 1 to ensure that loops do not affect other peers.

“Previously, we encountered issues where the port-security feature still allowed leaked MAC addresses to be advertised over Ethernet Virtual Private Network (EVPN),” it explained

“Since the advertising port would subsequently shut, and EVPN blacklisting would be triggered, resulting in unknown-unicast flooding.”

NAPAfrica said this particular issue was previously logged with its vendor and has been acknowledged as an official bug.

“The recommendation from the vendor was to use port protection mode to prevent port flapping and to ensure that leaks would not affect the network,” it said.

“In this particular case, protection mode has proven to be ineffective, resulting in the same issues related to the aforementioned bug.”

To mitigate this issue, NAPAfrica said it has begun implementing static access control lists to ensure stability.