One consideration is that with DOS attacks the attacker is trying to make the receiving end do
as much work as possible for as little cost to the attacker as possible. So with this
implementation he'd use an odd combination of option flags to make your server burn as much
bandwidth as possible. More than he is using in sending out SYN packets.
You can't really put more data in your ACK than he is putting in his SYN or you will lose.
Good security requires careful thought :-)