Oh good grief.

The most boggling part of XML DTD retrieval for me (which was what was used in this attack, it I understand correctly) is that you don't even need the DTD in order to parse XML.  XML's syntax is so regular that you don't need the schema to get a parse tree.  Nevertheless, XML parsers go off retrieving stuff anyway, just in case.  Some XML parsers don't bother to cache it by default, either, so you're continually reparsing a small local xml file from your disk and it's fetching a giant DTD repeatedly from the web.

And people use this stuff on purpose.  I don't get it.