Understanding the utilization of IP addresses is very important for the research of network administrators and network security. This paper proposes a methodology of detecting active IP addresses based on sampled flow records. The core idea of the methodology is that IP addresses with two-way communication traffic are active. The method is based on passive measurements and uses sampled flow records as data source, making it possible to be deployed at the boundary of backbones. Furthermore, the impacts of flows' sampling and spoofed traffic on the method are discussed. DPI technology is used to validate accuracy and efficiency of the method. Finally, the method is deployed at all 38 nodes of CERNET, detecting active IP address space in the whole CERENT network.