The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers. Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM. Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.
The idling miners turned out to be a different issue entirely unfortunately. We re-send the exact same work request if we haven't sent a work update after 30 seconds (we had seen some miners timing out after 30 seconds of no new work), and some miners are seeing a duplicate work request (30 seconds later) and idling for some reason.
Don't think they're related.
One of the miners really needs to capture a client.redirect packet for analysis. I will enable port mirroring on my switch and set up to capture relevant packets outside of the firewall on my end, but I might just never see one. Can you clue me into the most likely server(s) whose network traffic is being inspected or redirected?