What is botseed?

This is mostly for entertainment. Do not use it for anything that matters. The randomness is real, but the source is a stream of bots doing increasingly ridiculous things to a website that was built specifically to humiliate them.

Botseed generates random numbers from live web traffic. The number updating on the front page is real — seeded by whatever crawler just probed for a WordPress vulnerability, tried to scrape a fake compensation dataset, or attempted to exfiltrate a .env file that contains nothing useful.

The source

The traffic comes from a honeypot — a fake corporate website designed to attract, trap, and waste the resources of automated crawlers. It has been running for years and receives a continuous stream of bot activity around the clock: AI training crawlers, SEO tools, exploit scanners, credential stuffers, and things that defy easy categorization.

The site is an elaborate trap. Infinite archives that branch exponentially. Watermarked fake research reports containing subtly wrong facts. A fake internal employee portal that logs any credentials submitted to it. Convincing responses to WordPress and webshell probes. Every request is logged, classified by bot type, and — courtesy of botseed — converted into entropy.

Project code: github.com/dsilvers/acpwb

How the number is generated

Each incoming request is serialized to JSON and combined with 32 bytes of hardware entropy from the operating system. The two are concatenated and hashed with SHA-256. The resulting 256-bit digest is interpreted as a big-endian integer and used to seed a Python random.Random instance — an isolated instance, not the global random state. Calling .random() on it produces a float. The leading 0. is stripped and the remaining digits are displayed as an integer.

The hardware entropy means the output is unpredictable even if an attacker controls the request content. The request content means every number is demonstrably derived from something real that just happened on the internet.

Output is rate-limited to 20 events per second. During traffic bursts, older events are dropped. During quiet periods the stream pauses — no synthetic events are inserted to fill the gap.

The stream

The acpwb.com Django application publishes every request to a Redis pub/sub channel. A separate processor subscribes, computes the entropy mix, and republishes to a second channel. A standalone asyncio WebSocket service fans that channel out to browser clients. The static HTML you are reading is served directly by nginx — there is no application server involved in delivering this page.

The latest value is also available via a single HTTP endpoint for polling use: /api/v1/current.

← botseed.net