diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 67a6465..f0ca886 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2224,13 +2224,39 @@ monitor_network_attacks() {
                 if command -v ss &>/dev/null; then
                     # Get total SYN_RECV count for distributed attack detection
                     local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l)
-                    local distributed_attack=0
+                    local attack_severity=0
+                    local unique_ips=0
 
-                    # Distributed DDoS detection: Many IPs with small counts
-                    if [ "$total_syn" -gt 100 ]; then
-                        distributed_attack=1
+                    # Multi-tier distributed DDoS detection
+                    if [ "$total_syn" -gt 300 ]; then
+                        attack_severity=3  # Severe DDoS
+                    elif [ "$total_syn" -gt 150 ]; then
+                        attack_severity=2  # Major DDoS
+                    elif [ "$total_syn" -gt 75 ]; then
+                        attack_severity=1  # Moderate DDoS
                     fi
 
+                    # Count unique attacker IPs and track /24 subnets
+                    declare -A subnet_counts
+                    local attacker_ips=$(ss -tn state syn-recv 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u)
+                    while IFS= read -r attacker_ip; do
+                        [ -z "$attacker_ip" ] && continue
+                        ((unique_ips++))
+
+                        # Track /24 subnets to detect coordinated attacks
+                        local subnet=$(echo "$attacker_ip" | cut -d. -f1-3)
+                        ((subnet_counts[$subnet]++))
+                    done <<< "$attacker_ips"
+
+                    # Coordinated botnet detection: 3+ IPs from same /24
+                    local coordinated_attack=0
+                    for subnet in "${!subnet_counts[@]}"; do
+                        if [ "${subnet_counts[$subnet]}" -ge 3 ]; then
+                            coordinated_attack=1
+                            break
+                        fi
+                    done
+
                     # Count SYN_RECV connections per IP (sign of SYN flood)
                     while read -r ip count; do
                         # Skip local/private IPs first
@@ -2244,12 +2270,21 @@ monitor_network_attacks() {
                         # Track connection count for this IP
                         CONNECTION_COUNT[$ip]=$count
 
-                        # Dynamic threshold based on attack type:
-                        # - Normal: >20 connections (focused attack)
-                        # - Distributed DDoS: >5 connections (botnet)
+                        # Dynamic threshold based on attack severity:
+                        # Tier 0: >20 connections (normal, focused attack)
+                        # Tier 1: >8 connections (75-150 total, moderate DDoS)
+                        # Tier 2: >5 connections (150-300 total, major DDoS)
+                        # Tier 3: >3 connections (300+ total, severe DDoS)
                         local threshold=20
-                        if [ "$distributed_attack" -eq 1 ]; then
-                            threshold=5  # Lower threshold during distributed attacks
+                        case "$attack_severity" in
+                            3) threshold=3 ;;  # Severe: Very aggressive
+                            2) threshold=5 ;;  # Major: Aggressive
+                            1) threshold=8 ;;  # Moderate: Balanced
+                        esac
+
+                        # Coordinated attack bonus: Lower threshold by 2
+                        if [ "$coordinated_attack" -eq 1 ] && [ "$threshold" -gt 3 ]; then
+                            threshold=$((threshold - 2))
                         fi
 
                         if [ "$count" -gt "$threshold" ]; then