Only a fraction of those open servers were used to launch the attack on Spamhaus. It's conceivable the attackers could have generated a lot more traffic if they had tapped more open DNS resolvers.
A DNS resolver is supposed to only handle DNS look-up requests made from inside its own domain or known IP address range. Open DNS resolvers, on the other hand, accept and respond to queries from outside their own domain, making them vulnerable to exploitation. Virtually anyone on the Internet can exploit open DNS servers and get them to participate in a DDoS attack.
The Spamhaus attacks have attracted some long-overdue attention to the problem. Several security experts are hoping that this will finally get more ISPs and DNS server operators to configure their systems more securely to prevent them from being co-opted into similar attacks in the future.
It would be a pity if CloudFlare's over enthusiasm in talking about the story diverts attention from the bigger security issue at stake.
Sign up for CIO Asia eNewsletters.