Code Room
System designHard
Question
Design abuse/throttling protection for a login endpoint under credential-stuffing attacks. Attackers rotate across thousands of IPs and try many usernames, so per-IP limits alone don't catch them. You must throttle attackers hard while barely affecting legitimate users (a shared corporate NAT can put thousands of real users behind one IP). Design the multi-dimensional rate-limiting/throttling scheme and how you avoid false positives.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.