Thundering Herd Problem
Practical example
A CDN edge layer caches a popular product page with a 60-second TTL applied uniformly at deploy time; when the TTL expires, thousands of edge nodes simultaneously miss and forward requests to the origin API, which was sized for steady-state traffic and falls over, triggering client retries that extend the outage.
The thundering herd problem arises whenever a system has a synchronization point that causes many independent clients to converge on the same downstream dependency at the same instant. Classic triggers include a hot cache key expiring (cache stampede or dogpile effect), a load balancer or DNS failover redirecting all traffic to a newly promoted node, a distributed cron job firing on aligned wall-clock boundaries, or every replica reconnecting simultaneously after a network partition heals. The defining characteristic is that the herd is not caused by organic load growth but by correlated timing across otherwise independent actors.
Mitigation strategies operate at different layers. Request coalescing (a.k.a. singleflight or dogpile locking) ensures only one in-flight request per cache key reaches the origin while concurrent callers block on or receive the same in-progress result. Jittered TTLs and probabilistic early expiration (e.g., XFetch) desynchronize cache invalidation so keys expire at slightly different times instead of in lockstep. At the client/retry layer, exponential backoff with full jitter prevents synchronized retry waves, and connection/rate-limited backoff on reconnect storms is essential after partition recovery. At the resource layer itself, admission control, semaphores, and queueing bound how much of the herd is allowed to reach the critical section concurrently, converting an unbounded stampede into a bounded, serialized queue.
The problem compounds in distributed caches: if cache nodes are sharded by key but TTLs were set identically at write time (e.g., a bulk warm-up job), an entire shard’s key space can expire within the same second, producing a stampede against the origin database that is proportional to the shard’s cache miss fan-out rather than a single key. Similarly, Kubernetes readiness probes and HPA scale-up events can create a herd against a newly available pod’s connection pool before it has warmed up, producing latency spikes that look like a capacity problem but are actually a synchronization problem.
Architecturally, the presence of a thundering herd risk indicates a hidden single point of serialization behind an apparently horizontally-scaled front end. Designing against it requires explicitly identifying every synchronization boundary in the system — cache TTL policies, retry schedules, leader election timers, health-check intervals — and deliberately injecting jitter or coalescing at each one, rather than relying on capacity headroom alone.