IPID Attacks
Idle Scanning

Spoof SYN packets from an idle host
The target will reply with 
SYN|ACK if the port is open
RST|ACK if it is closed
The idle host will reply with
RST to the SYN|ACK (incrementing the IPID)
nothing to the RST|ACK
By watching the IPID you can tell whether the target's port was open

Nmap does this