Defending against sequence-number prediction is fairly trivial, and good solutions, such as Steven M. Bellovin’s RFC1948^[87] specification, have been available for a long time. However, preventing passive analysis of the numbers is quite difficult, because the problem results not only from the weakness of the algorithms, but also from the diversity of the algorithms used, which causes few systems to share the same ISN footprint. Even among systems that implement RFC1948 or that use other cryptograph-ically secure, external entropy-based generators, behavioral patterns may vary significantly, depending on the subtleties of the algorithm and the implementor’s assumptions as to the values that would be sufficient to thwart ...