I'd say this is the same as for a page returned that contains the current time - and many of these are done using GET. Abstractly, fetching a random number (or time) the server's state doesn't change - both time and random numbers can be described as an observation of an external event. E.g. http://random.org use atmospheric noise.

GET seems most appropriate, although caching will need to be disabled via appropriate headers, e.g.

Expires: <Current Time>
Last-Modified: <Current Time>
Cache-Control: no-cache, must-revalidate
Pragma: no-cache

If you want to ensure that the served content is already expired:

To mark a response as "already expired," an origin server sends an Expires date that is equal to the Date header value. (See the rules for expiration calculations in section 13.2.4.)

• http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Definitely GET. Even though it might modify server-side state (if it uses a pseudo-RNG), that's just an implementation detail the client shouldn't care about.

• definition of REST-call with GET: the result have to be the same -> not GET.
• definition of REST-call with PUT: the result of the call can be repeatable, the server should not have problem with it -> use PUT

POST is the weakest method and can used if other are not useful.

Why not GET: the result of GET-call can be cachet (cache-header, etag oder transparent proxies) and you dont will get random results ...