You could presumably log some such packets in iptables -- but that assumes you actually receive duplicate packets. If NSA owns a router between you and the target for spoofing, there's no reason that router need to relay the "correct" packet. I know a lot of the text on these attacks states something along the lines of "replies before the legitimate packet arrives" -- I'm just not certain it's that simple in practice.
edit2: Perhaps a logging dns resolver (to track "strange" ip changes) coupled with an iptables rule that uses contrack and logs INVALID packets is a start?
edit: This might be of interest:
http://ask.wireshark.org/questions/8490/tcp-retransmission-i...
edit2: Perhaps a logging dns resolver (to track "strange" ip changes) coupled with an iptables rule that uses contrack and logs INVALID packets is a start?