Abu Hurayra

How a Tiny React Bug Triggered a Thundering Herd: Lessons from Cloudflare’s Sept 12 Outage

Abu Hurayra

·

What Is the Thundering Herd Problem?

The Thundering Herd Problem refers to a scenario in computing where many processes, threads, or clients try to do something (e.g. access a service, retry a request, etc.) all at once—especially when a resource becomes available or an error is resolved—and this flood of simultaneous activity overwhelms the system. It’s like when a stadium gate opens after a delay, and the crowd surges forward all at once, causing congestion or mishaps.

In distributed systems, high-availability services, and front-end/back-end interactions (for example, dashboards invoking APIs), unanticipated thundering herd behavior can lead to degraded performance, failed requests, or full outages.

Cloudflare’s September 12, 2025 Incident: A Real-World Case Study

Here’s what happened, drawing from Cloudflare’s post-mortem and reporting by third parties. (The Cloudflare Blog)

  • At 17:57 UTC on September 12, 2025, Cloudflare’s Dashboard and multiple related APIs began failing. The root cause: a newly released version of the Dashboard had a bug. (The Cloudflare Blog)
  • The bug was in a React useEffect hook: a problematic object was included in the dependency array that was being re-created on every state or prop change. Because React treats dependency arrays via reference equality, the effect kept re-running, triggering many API calls instead of just one. (The Cloudflare Blog)
  • Meanwhile, Cloudflare had deployed a new version of their Tenant Service API at 17:50 UTC. The combination of (a) the dashboard generating excessive API calls and (b) the service being under altered load/validation logic created instability. The Tenant Service became overwhelmed. (The Cloudflare Blog)
  • Because Tenant Service is part of the authorization logic for many of Cloudflare’s APIs and the Dashboard, when it fails or becomes unstable, many other components return errors (5xx status codes). That’s how the issue cascaded. (The Cloudflare Blog)

How the Thundering Herd Manifested in This Case

Cloudflare’s outage is almost textbook for a Thundering Herd:

  • The dashboard bug triggered many requests at once (due to unstable dependency objects in useEffect).
  • State changes or prop changes triggered re-renders, which re-triggered the effect, causing even more load.
  • As the Tenant Service slowed or failed, retries likely piled up, further increasing load.
  • When the service partially recovered, many clients (or dashboard instances) tried to reconnect or authenticate, so that recovery itself caused a “herd” surge. Cloudflare notes this pattern explicitly. (The Cloudflare Blog)

Mitigation & What Was Done

Cloudflare’s response and future plans illustrate how to both react to and prevent such scenarios. (The Cloudflare Blog)

  1. Rate Limiting
    They applied a global rate-limit on the Tenant Service to reduce excess load. This helps to dampen the impact of flooding requests. (The Cloudflare Blog)
  2. Scaling & Resource Allocation
    They increased the number of Kubernetes pods running the Tenant Service, allocating more capacity to handle load spikes. (The Cloudflare Blog)
  3. Hotfixes and Rollbacks
    They attempted patches and version changes; some made things worse and had to be reverted. Part of mitigation is making sure deployment practices allow fast rollback. (The Cloudflare Blog)
  4. Observability & Telemetry Improvements
    • Adding metadata to requests to distinguish retries vs new requests. (The Cloudflare Blog)
    • More proactive alerts when traffic patterns deviate or when dependent services (e.g. Tenant Service) approach capacity limits. (The Cloudflare Blog)
  5. Randomized Backoff / Delay
    To avoid synchronized retry storms or recovery bursts, introducing small random delays can spread load out (a technique often used in distributed systems). Cloudflare says they will include random delays in dashboard retry logic. (The Cloudflare Blog)
  6. Better Deployment Safety
    Using mechanisms like Argo Rollouts for canary / incremental deployment so that faulty updates can be more safely tested and automatically rolled back. (The Cloudflare Blog)

Lessons Learned & Best Practices

  • Don’t underestimate front-end bugs: Even what seems like innocent code (e.g. React effects) can cause huge backend impact.
  • Be careful with dependency arrays / unstable objects in reactive/UI frameworks. Use stable references (useMemo, constants outside components, or primitive values).
  • Always consider what happens when a critical service becomes unavailable: do dependent services fail gracefully? Is authorization logic too tightly coupled?
  • Implement rate limiting, backoff, queueing, or bursting protection for critical internal APIs.
  • Have good telemetry: know whether requests are fresh or retries; track error rates, latencies; set thresholds.
  • Use safer deployment workflows: canaries, auto-rollback, feature flags, etc.

Conclusion

The Thundering Herd Problem isn’t just theoretical—it can and does happen even in mature infrastructure. Cloudflare’s Sept 12, 2025 outage is a powerful reminder: a small bug (in a React useEffect dependency) plus an under-prepared backend and missing mitigations can combine to take down critical services.

If you design APIs, dashboards, or any system with many clients or retries, think ahead: guard against dependency instability, synchronized retries, and uncontrolled request floods. With proper observability, rate limits, delayed retries, and careful deployment strategies, you can reduce risk dramatically.

Visitor Count: 10
, , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *