We were asked by one of our customers to provide them with a beSTORM GTP-U fuzzer module. Opening the spec and taking a peek of it revealed that it is a relatively straight forward protocol, though quite well documented, finding the documentation itself is quite hard – as there are multiple specs, which define various “versions” (more like revisions) of the protocol, spanning the 15 years of history behind this protocol.
As this protocol is not currently endorsed by IETF, but rather by the 3GPP group, if you seek the specification for the GTP-U protocol look up 3GPP TS 29.060, it has what you need.
Once we finished building the module we ran some test, it doesn’t look good for the GTP implementors, I guess lack of tools for testing, fuzzing and compliance checking of the GTP infrastructure left a lot of room for the security players to come in and bash their heads.
Good luck with your GTP fuzzing!