TCP Fast Open is a terrible idea, and RFC 7413 should be marked as historic so that no one actually tries to implement it. Google has given up on it in favor of QUIC and so should everyone else. QUIC allows for "zero RTT" requests that are also signed (preventing spoofing).

We started blocking these large requests over 3 years ago when we started seeing them. Interestingly enough, that was a full 6-9 months before Radware wrote an article and coined the term Tsunami SYN. We just called it "big SYN". The attack is trivially easy to stop, and anyone running a client that tries a TCP Fast Open should expect failure frequently.