It wasn't a botnet and it wasn't 2000 miners, it was 1000 ( they were mine).  The pool just disconnects them so often that it gets the count wrong.  I also crashed the pool frequently with only 1000 machines, which is pretty bad.  If the author wants to make his source public, I'll host an additional pool myself to take load away (I host other pools)