Penalising just the wrong attempts won't work. If a successful attempt
normally gives an ACK after 1s, the attacker won't bother to hang around
for your NACK if you delay it for 5s or 60s or whatever. Therefore all
decent systems delay *both* answers.
You probably have to limit the delay to one minute or less, or your
legitimate users will just declare your host broken.