Cloudflare inadvertently triggered a DDoS attack on itself through a mistake in the React useEffect hook.
On September 12, Cloudflare experienced an hour-long outage that affected its dashboard and many APIs. The root cause of the issue was traced back to a coding error in a React useEffect hook.
The useEffect hook, a function with a setup function and an optional list of dependencies, is an essential part of React. However, it seems that in this case, the hook was misused, leading to repeated calls during a single render of the dashboard, when it was only intended to run once.
The problem lay with an object that was recreated on every state or prop change, which was included in the dependency array of the useEffect hook. This caused unnecessary calls to the Tenant Service API, a part of the API request authorization logic.
The Tenant Service did not have enough capacity to handle such spikes in load, as Lianza stated. More resources have been allocated to it, along with improved monitoring, to prevent such occurrences in the future.
The outage also sparked a discussion in the community about the pros and cons of the useEffect hook. While some defended its use, others criticized excessive use of the hook, claiming that nearly everyone they know continues to put it everywhere for no reason.
The useEffect hook can be powerful, but it's often overused and has common performance pitfalls. To address this, the useEffect hook documentation contains warnings about misuse and common errors, and encourages the use of other approaches where possible.
New information has been added to API calls from the Cloudflare dashboard to distinguish retries from new requests, which would have made it easier to identify the issue as a loop in the dashboard.
Meanwhile, other news in the tech world includes Microsoft dropping .NET 10 RC, providing 55,000 words on why it's faster. A new feature, full MCP support beta for ChatGPT, was also introduced.
In a separate incident, the proposal for a Rust-style safety model for C++ was rejected, with profiles taking priority.
The real problem, according to another comment, was the Tenant Service API going down due to excessive API calls, despite the company having dedicated services to prevent DDoS.
This incident serves as a reminder for developers to be mindful of how they use tools like the useEffect hook and to always consider the impact of their code on the overall system.
Read also:
- Musk threatens Apple with litigation amidst increasing conflict surrounding Altman's OpenAI endeavor
- Transitioning to Electric Vehicles Places Heavy Demand on Power Grids
- E-mobility continues its progress after a decade since the scandal, staying on course
- The Commission deems the assistance program to be in agreement with the domestic market regulations.
