Interestingly enough, OpenBSD uses a flavor of this PRNG for another field, this time the IP fragmentation ID, part of the OpenBSD kernel network stack. The analysis carries out quite similarly to show that OpenBSD's IP ID is predictable as well, which gives way to O/S fingerprinting, idle-scanning, host alias detection, traffic analysis, and in some cases, even to TCP blind data injection.
Can you expound upon the blind TCP injection allowed by IP ID prediction?
Amit Klein CTO Trusteer
Tim Newsham http://www.thenewsh.com/~newsham/