What I implemented (filterwise) is that the miner rig cannot connect to external IP at will, but only on specific IPs (pools) and specific ports - 3333.
Even if the attacker spoofed the package - so the source ip is from the pool, then the redirect is blocked by external filters - so no stealing can be done anymore.
Perhaps not, but if a network redirection attack is in play somewhere in the middle of your route to mining servers, then attackers could potentially stall your rigs as your miners would not be able to reach the real pool servers, and any legitimate ip address change by pool server operators would cause the same, but both of these circumstances can be mitigated by configuring multiple redundant pools.
Also if they are able to maintain that network redirection for any length of time, then there is nothing to stop your miners from working for them directly.
What you have implemented is a good strategy to reduce your attack surface, but not a 100% fix. And neither would my netstat monitoring strategy (posted somewhere above) alert you that something like this was talking place. (Though as yet we have not had anyone report this specific case.) The only fully effective long term detection and avoidance solution to miner hijacking is stratum server authentication.