diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index af6466d..f506032 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2834,7 +2834,11 @@ monitor_network_attacks() {
                                     # 5. Single-target focus detection
                                     # Botnet usually targets one service/port
                                     # Check if connections are all to same port (80/443)
-                                    local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
+                                    # CRITICAL FIX: Quote the ss EXPRESSION filter for correct syntax
+                                    # Bug: Unquoted 'src "$ip"' was treated as separate arguments, not a filter expression
+                                    # Result: ss silently ignores the filter and returns ALL syn-recv (giving wrong port count)
+                                    # Fix: Quote the expression so ss parses it correctly: 'src IP'
+                                    local target_ports=$(ss -tn "state syn-recv src $ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
                                     [ -z "$target_ports" ] && target_ports=0
                                     if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
                                         conn_bonus=$((conn_bonus + 10))  # Single port = targeted attack