i got a couple of references on ip_id/DNS id attacks:

	smb's paper on counting hosts behind NAT using ip_id.  if you use
	non-random ip_id, number of hosts behind NAT will be revealed.

	There is a tool that exploits sequential DNS ids blindly at:
	http://www.packetfactory.net/Projects/zodiac/

	note also freebsd and Solaris do randomize ip_id.
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_output.c.diff?r1=1.188&r2=1.189

itojun