Open DNS resolvers can be used to recursively query authoritative name servers. In fact, a list of open resolvers can be found at http://openresolverproject.org/. Further, Network Time Protocol (NTP) servers with "monlist" enabled allow a host to query the last 600 connections who have connected to that server. Knowing this, an attacker (possibly using a bot) can send a DNS request using a source address that is spoofed as the IP address of the victim and the open resolver will send all the responses to the victim. See the figure below for a pictoral description of this:
While this is a serious problem, what's worse is that an attacker could use not only one bot to attack the victim but rather an entire army of bots (making up a "botnet") to each individually attack the victim using this same method. The figure below shows this scenario:
The following screen capture shows two requests to the same open DNS resolver. The left is capturing closed packets (not showing payload) while the right shows an expanded response. This shows the large amount of data that a single request can generate. An attacker can use this to overwhelm a victim.