How to find out if TCP connection to server is being tampered with by third-parties?

I'm under an unreliable ISP/AS, something like the GFW. They actively try to sabotage a TCP+TLS session by attacks such as sending SYN RST to established connections, making the connection timeout, messing with handshaking etc.

Is there a utility in the networking stack to find out if the server is under such quality-of-service attacks?

For example, to detect a SYN RST from someone other than client/server, we can compare the tcpdump of both client and server to find out if the signal came from a 3rd party or not. We can do this manually or write a script. But, are there tools ready-made for this? Can p0f be used for this?

In principle, fingerprinting could detect the attack. But you may have noticed that is is typically probabilistic method, in which case you can't tell for certain whether any individual packet is benign or is it forged to block it reliably.

Better to look at metadata fields like TTL, which for genuine packet probably will be lower than for forged one because it went through more routers, each decrementing the counter. It is meaningful to drop a packet if its TTL differs significantly from ones previously observed in the connection. This probably could be implemented using iptables connmark match/CONNMARK target rules (recording the TTL for new connections into connection mark and checking for subsequent packets).

You might know that many Internet resources in Russia are blocked. The technology for blocking differs, but one of them is to do exactly what you are telling us — if the ТСПУ device (which stands for "технические средства противодействия угрозам", technical means for countering threats; it is a DPI essentially) thinks the connection should be blocked it could send the TCP RST. It doesn't block (or at least didn't blocked) the subsequent normal packets, so if you had means of detecting and eliminating the RST packet, you may freely use the "blocked" resource. There is a web site which is dedicated to methods of circumventing of censorship, ntc.party (I am not affiliated with it in any way). In particular, one of the active members of the community, ValdikSS, made a software goodbyeDPI which was able to circumvent such blockage. It seems to use the mentioned TTL insight too. He also lists other software with similar function.

Also I want to specifically address the question in the title. IPsec wraps the whole IP packet (including TCP) or only its payload and authenticates it with electronic signature, thereby making it impossible to tamper with using methods you describe. You are not required to encrypt a packet, there is IPsec ah header which only adds (and checks) MAC and otherwise presents it it cleartext. Or you can encrypt by using esp header.

Unfortunately, you can't rely on this when you connect to arbitrary "anonymous" services, because for enabling IPsec you need to share keys with the party prior to using the technology.