The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers.  Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM.  Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.

The idling miners turned out to be a different issue entirely unfortunately.  We re-send the exact same work request if we haven't sent a work update after 30 seconds (we had seen some miners timing out after 30 seconds of no new work), and some miners are seeing a duplicate work request (30 seconds later) and idling for some reason.

Don't think they're related.