Noisy Routers: Investigating the Make-up route collector data

BGP: Fundamentals and problem statement

One of the original design goals of BGP is to enable ASes to signal reachability changes for newly available prefixes, withdrawn prefixes, or any other attribute changes. This design goal requires that each update conveys new routing information, enabling routers to maintain consistent, converged forwarding tables. However, in practice, BGP often generates large numbers of repeated updates. Both RIPE RIS and RouteViews have recently observed an increasing number of incidents in which a small subset of their peers generate a significant volume of updates. Consistent with these reports, we observed up to 2.93 billion updates from a single collector peer (AS140627) in one day. In contrast, another collector peer (AS132280) observed over a comparable period contributed only 307 updates per day. This significant difference underscores the disproportionate burden that a small fraction of peers can impose on routing archives.

Pathological BGP noise and the motivation for our study

Several operational issues, such as persistent route flapping and the effects of transitive BGP communities, can result in recurring patterns of identical or near-identical updates with the same or similar attributes. We consider an announcement to be noise when it repeats the same prefix and attributes several times within a short interval (e.g., a minute) or rapidly oscillates between a few AS paths or community values, without introducing new observable routing state. We refer to such updates as noise because they clutter measurements, complicate downstream analysis, and provide little additional value for many operational and research tasks.

Finally, although prior work has investigated BGP noise and hypothesised potential causes, little is known about its prevalence and characteristics, its manifestation in MRT archives, and how we can safely distinguish it from genuine routing events. Our study fills this gap by quantifying and characterising noise in already-collected MRT archives from RouteViews.

Finding 1: A small fraction of peers dominate BGP updates over 13 years

Our first goal was to evaluate whether high-frequency repeated updates are driven by a small set of peers.

We constructed a daily time series of update counts for each RouteViews collector–peer pair over the 13 years. We then ranked these pairs by update volume and grouped them into four percentile bins based on their contributions: 95–100%, 75–95%, 50–75%, and the lower 50%. This enabled us to quantify the distribution of updates across peers and identify the most dominant contributors. Finally, we computed the cumulative update share of each collector–peer pair to identify the top contributors over time and aggregated the remaining peers into others.

We observed continuous growth in the amount of BGP data collected by RouteViews since 2012, reaching 1 billion daily updates in 2025, as shown in Figure 1 (top). Precisely, RouteViews collectors recorded 2.6 trillion updates from ≈1.1K collector–peer pairs representing 649 unique ASNs across the 13 years. Of these, the top 5% peers (on average, 16 peers per day) accounted for 1.5 trillion (55.86%) of all 2.6 trillion updates.

In contrast, the lower 50% of peers (an average of 153 peers per day) generated 136.5B (5.17%) of the total updates, indicating that a peer in the top 5% on average recorded 16.4M updates per day compared to 169.5K for peers in the lower 50%.

Figure 1: Daily update share of RouteViews's peers (top) and top contributors over time (bottom). The top 5% of peers contributed an average of 303M updates per day, accounting for 55.2% of total daily updates, while the lower 50% contributed 29.2M updates per day (5.3%).

Figure 1 (bottom) shows the share of updates contributed by the top collector peers. Of the 1,066 unique collector peer pairs, the top 5 collector peer pairs (0.47% of all peers) alone contributed 674.9B updates, which is 26.67% of the total updates during the 13 years. AS140627 alone accounted for ≈14% of all updates and even contributed over two-thirds (69.24%) of the total updates between October 2021 and March 2022. We observed similar anomalous behaviour between AS58511 (7.40% of all updates) and AS34968 (2.64% of all updates). Finally, on March 20, 2022, only 11 collector peers collectively accounted for approximately 90% of all observed updates.

In summary, our findings show that a small fraction of collectors and their peers accounted for a disproportionately large share of the updates during the past 13 years. Measurement studies using these BGP updates should account for potential bias introduced by a few highly active peers.

Finding 2: A small fraction of sessions and prefixes account for most updates in December 2021

Given that a few peers were largely responsible for the high volume of repeated updates, we were interested in understanding the distributions of updates across sessions (routing connections between peers and collectors), prefixes, and AS paths.

We computed the per-minute update share for each session to construct a time series of update contributions and then calculated the mean percentage contribution for each session across the month (December 2021). We then used these values to derive summary statistics to assess the session's stability over time. Refer to our paper for more details.

We observed a strongly uneven distribution of updates. For instance, while most BGP sessions contributed relatively small and stable update volumes, a small fraction intermittently dominated the update traces (Figure 2). Precisely, the top 19 sessions (about 2% of all sessions) accounted for more than two-thirds of the total updates in December 2021, while the remaining 98% of sessions contributed only about 28.7% of the updates. In addition, a single session associated with AS140627 accounted for an exceptionally large share of the updates, averaging 28.67% of the per-minute update stream during the month and reaching peaks of around 82% on some days.

Figure 2: Variability of update distributions among BGP sessions: While most sessions remained relatively stable, 140627-218.100.76.17 intermittently dominated during the month, fluctuating around an average per-minute share of 28.67%.

Finally, we observed similar skewness when examining update distributions across prefixes and AS paths. For example, roughly 17% of prefixes accounted for 90% of all updates, while only two AS paths accounted for approximately 25% of the total update volume. These patterns suggest that repeated updates are often concentrated along specific routing paths, potentially reflecting misconfigured or buggy routers along those AS paths.

Finding 3: Frequently announced prefixes exhibit uneven announcement patterns across collectors

Our final goal was to determine whether highly announced prefixes exhibit similar update patterns across collectors or are localised to specific collectors.

We analysed the MRT archives for December 2021 and focussed on prefixes with unusually high frequency announcements. We used the Perth collector as a reference vantage point to identify the top 1% of prefix by update volume, as it consistently produced the largest update volumes during our study. We referred to these 841 prefixes as our candidate set. We then tracked these prefixes across RouteViews collectors to determine their visibility and selected the top 10 collectors for comparison, as they observe more than 99.7% of the candidate prefixes. Then, we aggregated announcements of our candidate set prefixes observed at the remaining 21 collectors as rest, except for rvs6 (IPv6-only collector). Finally, we compared the number of updates observed for these prefixes to evaluate whether their announcement patterns were consistent across collectors or localised to specific collectors.

First, we observed consistently higher update counts for all the 841 candidate set prefixes at the Perth collector, with a mean update volume of 3.3M per prefix. At the same time, Linx and eqix collectors recorded a mean of 253K and 552K, respectively, for the same 841 prefixes in December 2021, indicating a clear contrast in behaviour across collectors.

Similarly, we observed a distinct pattern at the rvs6 collector, an IPv6-only collector. Only four IPv6 prefixes (0.48% of our candidate set) appeared noisy at rvs6 but remained stable across all the other collectors. AS14210 (a CDN/streaming provider) and AS208046 originated these four IPv6 prefixes, which were announced ≈15–19M times in December 2021. A single peer of the rvs6 collector contributed 1.96 billion updates (≈73.4% of the total updates at rvs6), while the top five peers together accounted for 82.51%.

In conclusion, the sustained, extremely high update counts of our candidate set at the Perth and rvs6 collectors make them clear outliers relative to the other collectors. Notably, 98.93% of the highly announced prefixes at the Perth and rvs6 collectors exhibited stable behaviour at the remaining collectors, suggesting that the excessive updates are more likely generated by specific routers along certain AS paths, potentially due to misconfigurations or buggy implementations, rather than by the prefixes or their origin ASes.

Discussion: Interpreting noisy BGP update patterns

Our study shows that noise in BGP updates is highly concentrated and often localised to a few collector peers, sessions, and AS paths. For instance, a prefix can appear noisy at one collector while remaining stable at others. From this analysis, it might initially appear that certain origin ASes or prefixes are responsible for the observed noise. However, our results indicate that noise more often arises from behaviour along the AS path, perhaps due to buggy or misconfigured routers, rather than being inherent to the origin AS or prefix itself. More concretely, we have observed that an origin AS announces multiple prefixes, some of which are noisy while others remain stable, depending on the AS paths traversed. Considering this complexity, route collector operators should not handle excessive update storms from certain peers by simply disabling them or filtering out highly announced prefixes. Instead, they should localise the noise by identifying the noisy session and collaborating with the affected operators to resolve the issue while preserving connectivity on other stable sessions of the affected peers.

Understanding these intricate issues is also essential for correctly interpreting BGP updates. Therefore, measurement studies should account for the highly skewed update contributions from a few collector peers to ensure accurate representation of routing dynamics and avoid biased interpretations. Finally, although retaining MRT archives in full remains essential for diagnosing abnormal routing behaviour and understanding anomalies in internet routing, we argue that researchers can benefit from pruning redundant updates based on their measurement goals.

Future work

We plan to extend this analysis to other collector infrastructures to determine whether we can observer similar noise patterns across collector platforms. We also aim to collaborate with network operators to better understand the potential causes of persistent, repeated updates, including router misconfigurations, implementation issues, and configuration choices along specific routing paths. Finally, we plan to evaluate how pruning high-frequency announcements affects measurement studies by applying our pruned data to existing studies and assessing whether we can achieve comparable results.

Acknowledgment

We would like to express our gratitude to the Network Security programme of the Twente University Centre for Cybersecurity Research (TUCCR) under grant number 20003215. Cristian's work was also part of the CATRIN and UPIN projects, both of which received funding from the Dutch Research Council (NWO).