Greetings,
Did you all see this Wired article about Quantum Insert detection?
https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-...
These TCP injection attacks are used by various entities around the world (not just NSA!) to target individuals for surveillance or perhaps to add their computers to a botnet for other purposes.
If you do not use a VPN or Tor you can run "Quantum Insert" detection on your computer and detect when you receive an attack attempt. However be advised that proper sandboxing is important here because intrusion detection and protocol anylsis tools are notoriously insecure and get pwned all the time.
If you are a Tor exit relay operator you have the options of running detection software; However you should not publish the results publicly without mixing in some noise or your published data might make it possible for some adversaries to deanonymize Tor users. If your country has strict telecommunications laws then it might only be legal for you to perform this type of detection if you do not perform logging.
For the past several months... in my free time I've been slowly developing a very comprehensive TCP injection attack detection tool called HoneyBadger:
https://github.com/david415/HoneyBadger
Quantum Insert is a NSA codeword for "TCP injection attack", however either of these terms are too vague. During my research I was able to classify 4 different types of TCP injection attack. When I say that HoneytBadger is comprehensive what I mean is that Honeybadger can detect ALL of these types of TCP injection attack types... I describe them briefly here:
https://honeybadger.readthedocs.org/en/latest/
Here's the Fox-IT blog post about their Quantum Insert detection software: http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
I am going to work on writing a much more comprehensive blog post; it will be filled with gory technical details AND it will include information on how to use HoneyBadger. HoneyBadger has optional (off by default) full-take logging which could enable you to capture a zero-day payload from a TCP attack; you should then responsibly disclose to the software vendor or contact a malware analyst to help out!
Sincerely,
David Stainton