Hi,
Beginners could get confused with what kind of architecture a fuzzing lab should comprise of?
Basically, there shall be something to request and something to respond. So in most of the cases it's a sever-client architecture.
Server: A node which would be hosting or generating fuzz files
Client : A node which would access/load those hosted/generated files in an application to check if that crashes.
Application could be anything that interests a researcher and accordingly fuzz files needs to be hosted/generated on the fly on server. Few likes generating fuzz files of their interest and host on server. Contrary, few likes generating them on the fly. Today, focus of this write-up is bit on 'generating & hosting' files.
Disclaimer: I am no expert on this; just sharing what I've observed and understood so far.
Generating & Hosting Files on Server:
On a smaller scale, a researcher could have just a single machine hosting his/her server (LAMP/WAMP) and client node. That's fine to test out fuzzer code (write you own from scratch) and some basic tests. But shall improve upon hardware gradually, if on serious note.
My suggestions:
1. Use Linux: Requirement could be there to generate millions of test cases (fuzz cases). Unfortunately, file generations starts crawling on windows once it has generated more than a million files in a single directory. In my test, same code started crawling after generating 1.1M files on windows but worked perfectly on linux even after generating 2.4M files (I did not go beyond that).
2. If using LAMP, apache would need to be customized to withhold your test DDoS attack on it. Fuzzing goes in spikes. Most of the test cases wouldn't bother the application anyway. Few could offer minor glitches and few could simply hang the application. Assuming your lab has 10 client nodes & 1 server. When applications on those 10 nodes are processing fuzz cases without gliches, the Apache is serving quite many requests concurrently! and there starts the DDoS on it. With 10 nodes, it just wouldn't be 10 requests/second. Based on researchers code, it could grow multifolds.
3. Use mpm_event: With LAMP, the MPM (multi processing module) that comes default is mpm_prefork. It has to be replaced to meet fuzz lab requirements. mpm_event is the latest stable member and is highly recommended for concurrence.
My tests has shown, mpm_prefork failed serving more than 7 client nodes but mpm_event served 24 nodes perfectly (not sure what is its limit)
Following are few links which could help setup such a lab:
https://www.digitalocean.com/communi...tack-on-ubuntu
https://www.digitalocean.com/communi...n-ubuntu-12-04
http://jaswsinc.com/ubuntu-lamp-apac...tcgi-php5-fpm/
http://askubuntu.com/questions/45337...hread-safe-php
http://askubuntu.com/questions/52477...ble-worker-mpm
http://serverfault.com/questions/383...che-mpm-to-use
http://www.vps.net/blog/2013/04/08/a...ker-and-event/
.... sharing is caring
Cheers!
PS: It would be appreciable if people share their experiences as well.
Reply With Quote
