Live on the globe now: 103 tracked
Most of overwatch.earth shows the physical world; this layer shows the invisible one that holds it together — the global routing system that decides how every packet finds its way. The internet is tens of thousands of independent networks (autonomous systems) that announce which blocks of addresses they can reach using BGP, the Border Gateway Protocol. When those announcements change in suspicious ways, something is happening: a network leaking routes it should not, a possible prefix hijack, an outage as prefixes are withdrawn, a bogon (an address block that should not be announced at all), or an RPKI-invalid announcement that fails cryptographic origin checks. This layer streams those events live from WorldIP.io's Pulse feed, alongside slower RIR allocation changes (when address space is transferred or re-registered between regions). Each event is placed at the centroid of the country it resolves to and scattered slightly so active regions render as a cloud rather than a single dot; red and orange points are the high-signal anomalies — leaks, hijacks and withdrawals — while the cooler points are the steady background of RPKI-invalids and newly-seen prefixes. Events live on the globe for a few minutes and then age out, so what you see is a rolling picture of the last few minutes of the internet's control plane. Click any point to inspect the prefix, the networks (ASNs) involved and the detector's reasoning. It is one of about 30 live layers you can solo on the same interactive Earth.
Data source: WorldIP.io
From WorldIP.io's Pulse API, which watches the global BGP routing table and RIR allocation registries and emits geo-tagged events: route leaks and AS-path anomalies, prefix withdrawals, bogons, RPKI-invalid announcements, newly-seen prefixes, and allocation transfers. overwatch.earth polls it server-side every few seconds.
A BGP hijack is when a network announces address space it does not own, pulling traffic toward itself; a route leak is when routes are passed somewhere they should not go, often by accident. Both show up as AS-path anomalies (red points) and can reroute or black-hole traffic, which is why they are worth watching.
Routing events do not have a precise street address — they belong to a network, which we resolve to a country (from the announced prefix, or the network's home country as a fallback). Points are placed at the country centroid and scattered slightly so busy countries read as a cloud of activity rather than one overlapping marker.
It is a live rolling window: each refresh shows roughly the last few minutes of events, so points appear, persist briefly, and fade. Bursts of one type are normal — detectors run on their own cadences, and the noisier categories (RPKI-invalids, multi-origin routes) are down-sampled so the genuine anomalies stay visible.