How do I approach System Design interview questions?

System Design questions require understanding of core concepts and practice. PracHub provides solutions with explanations to help you master system design interviews.

What difficulty level is this interview question?

This is a medium difficulty System Design question, commonly asked during Onsite rounds at LinkedIn.

What role is this question designed for?

This question is commonly asked for Software Engineer candidates at LinkedIn during technical interviews.

Design a malicious-URL checking service using an isMalicious API

Quick Overview

This question evaluates system design competencies such as scalable API design, caching and cache invalidation strategies, rate limiting and backpressure, fault tolerance and circuit-breaking, data modeling for reputation storage, partitioning, and operational metrics for reliability.

Design a backend service that determines whether a given URL is malicious.

You have access to an external dependency:

isMalicious(url) -> bool (black-box API)

This external API is:

Rate-limited (e.g., 1k QPS max) and sometimes slow (p95 500ms) or unavailable.
Potentially costly per call.

Your service should expose an internal API such as:

GET /reputation?url=... → returns { verdict: "malicious"|"benign"|"unknown", checkedAt, confidence }

Requirements

Low latency for repeated queries.
Must handle high traffic (e.g., 50k QPS reads) while respecting the external API limit.
Avoid repeatedly calling isMalicious for the same URL.
Provide reasonable behavior for timeouts/outages (no cascading failures).
Support background re-checking because reputations can change.

Explain:

APIs and key workflows (read path, cache miss path, async refresh)
Data model and storage choices
Caching strategy, TTLs, and deduplication of concurrent requests
Rate limiting / backpressure / circuit breaker strategy
Scaling, partitioning, and reliability
Metrics and operational concerns

Quick Overview

Design a backend service that determines whether a given URL is malicious.

You have access to an external dependency:

isMalicious(url) -> bool (black-box API)

This external API is:

Rate-limited (e.g., 1k QPS max) and sometimes slow (p95 500ms) or unavailable.
Potentially costly per call.

Your service should expose an internal API such as:

GET /reputation?url=... → returns { verdict: "malicious"|"benign"|"unknown", checkedAt, confidence }

Requirements

Low latency for repeated queries.
Must handle high traffic (e.g., 50k QPS reads) while respecting the external API limit.
Avoid repeatedly calling isMalicious for the same URL.
Provide reasonable behavior for timeouts/outages (no cascading failures).
Support background re-checking because reputations can change.

Explain:

APIs and key workflows (read path, cache miss path, async refresh)
Data model and storage choices
Caching strategy, TTLs, and deduplication of concurrent requests
Rate limiting / backpressure / circuit breaker strategy
Scaling, partitioning, and reliability
Metrics and operational concerns

Design a malicious-URL checking service using an isMalicious API

Quick Overview

Requirements

Solution

Comments (0)

Design a malicious-URL checking service using an isMalicious API

Quick Overview

Requirements

Solution

Comments (0)