Seems like a reasonable thing to do on a sandbox specifically set up for the purpose of analyzing malware. It's not helpful to just block all connections, because you want to see what it's trying to connect to and what it's trying to send there. You don't know what it's going to try to connect to, so you can't redirect only specific things. Letting it connect to the actual internet is obviously just crazy. Redirecting everything to an internal honeypot sounds pretty reasonable.
Maybe I'm wrong, but I would guess that sandbox evasion techniques aren't intended to stop one-off reverse engineering, but rather to get around the bulk programmatic analysis that Google or FireEye does. Those require an internet connection or a replaying proxy because a lot of modern malware comes as a minimal package that downloads its payload from the web.
