SystemOverflow
LearnNetworking & ProtocolsCDN Architecture & Edge Computing4 of 6
Networking & ProtocolsCDN Architecture & Edge ComputingHard⏱️ ~3 min

What Are Cache Stampedes, Poisoned Caches, and Other CDN Failure Modes?

Cache Stampede Mechanics

A cache stampede (also called thundering herd) occurs when a cached item expires and multiple concurrent requests simultaneously attempt to regenerate it. If 1,000 requests arrive in the milliseconds between expiration and regeneration, all 1,000 hit the origin server simultaneously. For expensive queries taking 500ms to compute, this multiplies origin load by 1000x, potentially cascading into origin failure and complete cache breakdown.

Stampede Prevention Strategies

Request coalescing (also called request collapsing) groups concurrent requests for the same resource so only one reaches the origin; others wait for that response. Probabilistic early expiration regenerates cache entries before they expire: if TTL is 60 seconds, start regeneration probabilistically between 50-60 seconds, ensuring fresh content exists before expiration. Locking uses distributed locks (coordinated flags across servers) so only one node regenerates while others serve stale content. Each approach trades complexity for protection level: coalescing is simplest, probabilistic expiration handles predictable traffic, locking handles unpredictable spikes.

Cache Poisoning Attacks

Cache poisoning injects malicious content into CDN caches, serving it to all subsequent users. Attack vectors include: unkeyed headers where attackers manipulate headers (like X-Forwarded-Host) that affect response content but are not part of the cache key, causing poisoned responses to be cached and served to victims. HTTP response splitting injects newlines into headers to create fake responses. Web cache deception tricks caches into storing sensitive pages: attacker sends victim a link like /account/settings/logo.png; if the server ignores the fake extension and returns the settings page while the CDN caches it as an image, attackers can later retrieve the victim private data.

Defensive Measures

Defense requires multiple layers. Cache key normalization: include all headers that affect response content in cache keys, or strip them entirely. Strict URL validation: reject requests with path traversal or unexpected extensions. Response validation: verify Content-Type matches expected format before caching. Cache segmentation: never cache authenticated responses on public CDN nodes; use separate cache layers for public and private content. Set Cache-Control: private for any response containing user-specific data.

Key Insight: Cache stampedes and poisoning are opposite failure modes. Stampedes occur from too little caching (simultaneous regeneration). Poisoning occurs from too much caching (storing malicious or sensitive content). Both require understanding exactly what gets cached under what keys.
💡 Key Takeaways
Cache stampede occurs when expired cache causes simultaneous origin requests, potentially 1000x load spike
Prevention strategies: request coalescing, probabilistic early expiration, distributed locking
Cache poisoning injects malicious content via unkeyed headers or web cache deception attacks
Defense requires cache key normalization, URL validation, and separating public from authenticated caches
📌 Interview Tips
1Explain stampede mitigation by comparing request coalescing vs probabilistic expiration vs locking tradeoffs
2Describe web cache deception attack: tricking CDN into caching /account/settings/logo.png as public content
3Mention that Cache-Control: private header prevents CDN caching of authenticated responses
← Back to CDN Architecture & Edge Computing Overview