diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index de7d337..b524602 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2623,7 +2623,9 @@ monitor_network_attacks() {
 
                                 # Smart whitelisting: Skip IPs with MANY successful established connections
                                 # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)
-                                local established_conns=$(ss -tn state established 2>/dev/null | grep "$ip" | wc -l)
+                                # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches)
+                                # Example: "1.1.1.1" should not match "11.1.1.1" or "119.1.1.1"
+                                local established_conns=$(ss -tn state established 2>/dev/null | grep -w "$ip" | wc -l)
                                 [ -z "$established_conns" ] && established_conns=0
                                 if [ "$established_conns" -ge 20 ]; then
                                     # IP has 20+ established connections = highly likely legitimate user
@@ -2932,7 +2934,10 @@ monitor_network_attacks() {
                             # Reset alert if connections drop below threshold
                             unset ALERT_SENT[$ip]
                         fi
-                    done < <(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | awk '$1 > 5 {print $2, $1}')
+                    # CRITICAL FIX: Change awk filter from '$1 > 5' to '$1 >= 3'
+                    # Reason: Minimum threshold is 3 connections (Tier 4 attacks), so IPs with 3-5 connections must be processed
+                    # Before fix: IPs with <6 connections were silently skipped, preventing detection in high-severity attacks
+                    done < <(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | awk '$1 >= 3 {print $2, $1}')
                 fi
 
                 sleep 5  # Check every 5 seconds (faster detection during active attacks)
@@ -3346,8 +3351,10 @@ detect_distributed_attacks() {
                         if [ ${#batch_ips[@]} -gt 0 ]; then
                             batch_block_ips "${batch_ips[@]}"
                             echo -e "${CRITICAL_COLOR}[${time_str}] DISTRIBUTED_ATTACK | ${attack_type} from ${unique_ips} IPs | BLOCKED ALL${NC}" >> "$TEMP_DIR/recent_events"
-                            # BUG FIX: Increment block counter for distributed attacks
-                            increment_block_counter 1
+                            # CRITICAL FIX: Removed duplicate increment_block_counter call
+                            # batch_block_ips() already calls increment_block_counter with the actual count on line 1027
+                            # Adding another increment_block_counter 1 here causes double-counting
+                            # (If 10 IPs blocked: would count as 11 instead of 10)
                         fi
 
                         # Check for subnet-level coordination (25+ IPs from same /24)