"TCP Fast Open is a stellar example of one such modification to TCP: eight years after it was first proposed, it is still not widely deployed, largely due to middleboxes."
Fast Open is a bad idea for a bunch of other reasons, mainly the client spoofing their address yet still being able to use a lot of resources on the server.
Where would the client get a valid cookie from if they are "spoofing their address" ?
If they don't have a valid cookie Fast Open costs the same as regular TCP in the face of adversaries trying to DOS you. You examine the packet, it doesn't have a valid cookie, you discard it. No further work, just like ordinary TCP.
Anyone remember TTCP?