← Back to All Questions
Very Hard~55 minSecurity Systems

Design Distributed Botnet Detection System

CloudflareAkamaiImpervaFastlyAWS

📝 Problem Description

Design a system to detect and mitigate botnet attacks in real-time. Analyze network traffic patterns, identify coordinated attacks, and block malicious traffic while allowing legitimate users.

👤 Use Cases

1.
System wants to analyzes traffic so that identifies bot patterns
2.
System wants to detects DDoS attack so that activates mitigation
3.
Legitimate User wants to accesses site during attack so that allowed through
4.
Security Team wants to reviews threats so that updates detection rules

✅ Functional Requirements

  • Analyze traffic patterns at line rate
  • Detect coordinated bot behavior
  • Distinguish bots from humans
  • Block malicious traffic
  • Allow legitimate users (CAPTCHA fallback)
  • Real-time threat intelligence

⚡ Non-Functional Requirements

  • Process 10Tbps traffic
  • Detection latency < 100ms
  • False positive rate < 0.1%
  • Zero impact on legitimate traffic

⚠️ Constraints & Assumptions

  • Attacks are distributed and adaptive
  • Cannot inspect encrypted payloads
  • Must handle traffic spikes

📊 Capacity Estimation

👥 Users
N/A (network-level)
💾 Storage
100TB (traffic logs, threat intel)
⚡ QPS
100M requests/sec during attack
📐 Assumptions
  • 10Tbps peak traffic during DDoS
  • 100M requests/second at attack peak
  • 1M unique IPs per hour
  • 5% traffic is bot during normal times
  • 50%+ traffic is bot during attack
  • Detection decision needed per-request

💡 Key Concepts

CRITICAL
Behavioral Fingerprinting
Identify bots by behavior patterns, not just IP.
HIGH
Bloom Filters
Fast membership testing for known bad actors.
CRITICAL
Correlation Analysis
Detect coordinated attacks across distributed sources.
HIGH
Adaptive Rate Limiting
Dynamic thresholds based on attack intensity.

💡 Interview Tips

  • 💡Start with the layered defense approach
  • 💡Discuss the edge vs origin tradeoff
  • 💡Emphasize the false positive challenge
  • 💡Be prepared to discuss different attack types
  • 💡Know the difference between network and application layer attacks
  • 💡Understand rate limiting algorithms (token bucket, leaky bucket)