diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index dbee0dc..67a6465 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2222,6 +2222,15 @@ monitor_network_attacks() {
             while true; do
                 # Use ss if available (faster), otherwise netstat
                 if command -v ss &>/dev/null; then
+                    # Get total SYN_RECV count for distributed attack detection
+                    local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l)
+                    local distributed_attack=0
+
+                    # Distributed DDoS detection: Many IPs with small counts
+                    if [ "$total_syn" -gt 100 ]; then
+                        distributed_attack=1
+                    fi
+
                     # Count SYN_RECV connections per IP (sign of SYN flood)
                     while read -r ip count; do
                         # Skip local/private IPs first
@@ -2235,7 +2244,15 @@ monitor_network_attacks() {
                         # Track connection count for this IP
                         CONNECTION_COUNT[$ip]=$count
 
-                        if [ "$count" -gt 20 ]; then  # More than 20 SYN_RECV connections = DDoS
+                        # Dynamic threshold based on attack type:
+                        # - Normal: >20 connections (focused attack)
+                        # - Distributed DDoS: >5 connections (botnet)
+                        local threshold=20
+                        if [ "$distributed_attack" -eq 1 ]; then
+                            threshold=5  # Lower threshold during distributed attacks
+                        fi
+
+                        if [ "$count" -gt "$threshold" ]; then
                             # Only process once per detection window
                             if [ -z "${ALERT_SENT[$ip]}" ]; then
                                 ALERT_SENT[$ip]=1
diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index dbee0dc..67a6465 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -2222,6 +2222,15 @@ monitor_network_attacks() {
             while true; do
                 # Use ss if available (faster), otherwise netstat
                 if command -v ss &>/dev/null; then
+                    # Get total SYN_RECV count for distributed attack detection
+                    local total_syn=$(ss -tn state syn-recv 2>/dev/null | wc -l)
+                    local distributed_attack=0
+
+                    # Distributed DDoS detection: Many IPs with small counts
+                    if [ "$total_syn" -gt 100 ]; then
+                        distributed_attack=1
+                    fi
+
                     # Count SYN_RECV connections per IP (sign of SYN flood)
                     while read -r ip count; do
                         # Skip local/private IPs first
@@ -2235,7 +2244,15 @@ monitor_network_attacks() {
                         # Track connection count for this IP
                         CONNECTION_COUNT[$ip]=$count
 
-                        if [ "$count" -gt 20 ]; then  # More than 20 SYN_RECV connections = DDoS
+                        # Dynamic threshold based on attack type:
+                        # - Normal: >20 connections (focused attack)
+                        # - Distributed DDoS: >5 connections (botnet)
+                        local threshold=20
+                        if [ "$distributed_attack" -eq 1 ]; then
+                            threshold=5  # Lower threshold during distributed attacks
+                        fi
+
+                        if [ "$count" -gt "$threshold" ]; then
                             # Only process once per detection window
                             if [ -z "${ALERT_SENT[$ip]}" ]; then
                                 ALERT_SENT[$ip]=1