Oh good grief.
The most boggling part of XML DTD retrieval for me (which was what was used in this attack, it I understand correctly) is that you don't even need the DTD in order to parse XML. XML's syntax is so regular that you don't need the schema to get a parse tree. Nevertheless, XML parsers go off retrieving stuff anyway, just in case. Some XML parsers don't bother to cache it by default, either, so you're continually reparsing a small local xml file from your disk and it's fetching a giant DTD repeatedly from the web.
And people use this stuff on purpose. I don't get it.
ssh+2FA to all your machines, anywhere, without opening firewall ports.